Windows Analysis Report
Packing list.exe

Overview

General Information

Sample Name: Packing list.exe
Analysis ID: 680524
MD5: c7a4e2993e53b71353110debf193f711
SHA1: c5cc5b995685cf3474d0998dc8f8be0080635f2c
SHA256: 2698f26bc94c6ee64dd216f13c805f6a2ee512c47f1a23f026dd606adc42fcb9
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Deletes itself after installation
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Packing list.exe Virustotal: Detection: 43% Perma Link
Yara detected FormBook
Source: Yara match File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.pahunt.org/umhl/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Packing list.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.Packing list.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.pahunt.org/umhl/"], "decoy": ["mB8gvYWKNnd+6kcRK8M=", "7zn0DtefQVZc3UcRK8M=", "qj9AgFfem/K5", "7W+k2buMQnZxzkqW8v2wDA==", "BXmNsJSLLt9UZYuO3C2l", "PHnylup3Ec5YTj8qPV+8", "5wuv0g7RYfoLhg==", "qy3Wf2Qv9yamjg==", "EWjULZ91La2UEjQ=", "aN2KCV/tiOP2gyVROJbK2Fg=", "a9tVEduGJF1q4GcHnr2dBg==", "111flmRlGlRY0vPmzRR63KW1wyqR6Q==", "f7+r8NeWp+WZYf6D8v2wDA==", "LGG2X0VJ1rSPHL0Yd/60", "A21qVr1P5aZSS/pCOZbK2Fg=", "W7uNpIBT4NZ+WoHtRGa+", "YpWyeGx/Qx22izPhZenb5O65", "xPm54b/IeWRI4IYqPV+8", "gtxoMfmYZ0HgmQ==", "LMlLAuXndyCmnEXPMpdwBwxB0g==", "siWU81PxsC+0oEWT8v2wDA==", "ks2JuqR+Kkb324cqPV+8", "7CHy2pNs9fzthn43", "uTnZelYp9yamjg==", "FYR8ZtIuEACu", "QV+IJwsM0kTK+2oVgQ==", "I60qeTRmGDxa4UcRK8M=", "bI7FSA8i5lsh0IMkgw==", "fPDj0E0bvTlUwOLGFVq2", "oOS6vYWSNl3Gn4c1", "MMijCmIt6ShS2/7z4Dvb5O65", "hMS597ZZ/MZLKR7nZ54/kNuz", "K2nSnIFmKWqgHFcyv/imbncPSqo=", "4Xb7v/PEdz7Y+2oVgQ==", "Vt2QCbF0aJ4=", "m9VmkEwbxnIa/p3YBFc98Gux", "Q7lAGwwBhTLthn43", "DlGQCZkaysdZJh8yWdKN6m+x", "CF0uM/wT2M7JHzQqPV+8", "1wevt3hI3tPaR2ozyQe1it7fHPg/eczb", "qxcRVQuWHw1MKdA4", "dMADqcZ+K4I=", "H3ZFO+VrJQ6lnpmPa5bK2Fg=", "I2NcqXM1zEPK+2oVgQ==", "XoQXQA0PxDRI+2oVgQ==", "9VDJi2RwODvp3Hz5d+nb5O65", "H4PEOo8dwjlj9KRE8v2wDA==", "fq1yc81rHThNtiRPOJbK2Fg=", "90u1gKqiSJc=", "HnInjdeMNq2UEjQ=", "3O7PDrhF5tWQl8Iwiw==", "AXuXhUUotKqgEHuvpP/GHaUbXbTp8o5Lpg==", "edtWHfXmei7thn43", "1vdgIc5iAGSI60cRK8M=", "sj5/NqAuEACu", "dpQOonl8Rr7LGTZGYZX9RTsVSrM=", "rt0X7dDlpHsQFcJC8v2wDA==", "+nf/2b/GeGL/AHBFB0erBoHNITKM4Q==", "MLMz38fRYBvGpEWX8v2wDA==", "I186c0wbqBqOlnEPXsSi6j64nGru", "CipT7MK3Xrk2U7YQJHvxBA==", "2k/ZrIpV38eJR3Au", "83OJo30uEACu", "yva3tQ7Zsm36/6Qbgtk8EOkFF2SA6Q=="]}
Uses 32bit PE files
Source: Packing list.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Packing list.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Packing list.exe, Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Packing list.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086745A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086745B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop edi 19_2_032D8920
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop edi 19_2_032D439F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop edi 19_2_032D891F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop edi 19_2_032D8911

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.chillsafe.online
Source: C:\Windows\explorer.exe Domain query: www.alshared.info
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.pahunt.org/umhl/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comRes
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coma-dY
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comC
Source: Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417011575.000000000610B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Packing list.exe, 00000000.00000003.417047585.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comlic
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn$
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnx
Source: unknown DNS traffic detected: queries for: www.chillsafe.online
Creates a DirectInput object (often for capturing keystrokes)
Source: Packing list.exe, 00000000.00000002.457845803.0000000001589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Packing list.exe.33f638c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Packing list.exe PID: 1320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 3856, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large strings
Source: Packing list.exe, AddCompanyForm.cs Long String: Length: 20037
Source: jcWxLdFqdoHatB.exe.0.dr, AddCompanyForm.cs Long String: Length: 20037
Source: 0.0.Packing list.exe.e70000.0.unpack, AddCompanyForm.cs Long String: Length: 20037
Uses 32bit PE files
Source: Packing list.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Packing list.exe.33f638c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Packing list.exe PID: 6064, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: Packing list.exe PID: 1320, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 3856, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_0339E820 0_2_0339E820
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_0339E810 0_2_0339E810
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_0339BF54 0_2_0339BF54
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE63F8 0_2_07DE63F8
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE2D00 0_2_07DE2D00
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE4B00 0_2_07DE4B00
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE9608 0_2_07DE9608
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE5550 0_2_07DE5550
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DED320 0_2_07DED320
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE3EE0 0_2_07DE3EE0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8640 0_2_07DE8640
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8632 0_2_07DE8632
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8410 0_2_07DE8410
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8420 0_2_07DE8420
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE63D5 0_2_07DE63D5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DEC3E8 0_2_07DEC3E8
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE6308 0_2_07DE6308
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DEE338 0_2_07DEE338
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE4FB0 0_2_07DE4FB0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE4FA0 0_2_07DE4FA0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE4AF1 0_2_07DE4AF1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8A58 0_2_07DE8A58
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DECA40 0_2_07DECA40
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8A68 0_2_07DE8A68
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE885B 0_2_07DE885B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE8868 0_2_07DE8868
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE95D1 0_2_07DE95D1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE5543 0_2_07DE5543
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE32D8 0_2_07DE32D8
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE32E8 0_2_07DE32E8
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE7090 0_2_07DE7090
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DE3E08 0_2_07DE3E08
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DEDD30 0_2_07DEDD30
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_07DED828 0_2_07DED828
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_08670040 0_2_08670040
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_08670011 0_2_08670011
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_08670040 0_2_08670040
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD4120 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABF900 8_2_01ABF900
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B820A8 8_2_01B820A8
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACB090 8_2_01ACB090
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B828EC 8_2_01B828EC
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71002 8_2_01B71002
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEEBB0 8_2_01AEEBB0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7DBD2 8_2_01B7DBD2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B82B28 8_2_01B82B28
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B822AE 8_2_01B822AE
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2581 8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACD5E0 8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B825DD 8_2_01B825DD
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB0D20 8_2_01AB0D20
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B82D07 8_2_01B82D07
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B81D55 8_2_01B81D55
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC841F 8_2_01AC841F
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7D466 8_2_01B7D466
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B81FF1 8_2_01B81FF1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B82EF7 8_2_01B82EF7
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD6E30 8_2_01AD6E30
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7D616 8_2_01B7D616
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_004202EF 8_2_004202EF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484841F 19_2_0484841F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FD466 19_2_048FD466
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862581 19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_049025DD 19_2_049025DD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484D5E0 19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04902D07 19_2_04902D07
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04830D20 19_2_04830D20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04901D55 19_2_04901D55
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04902EF7 19_2_04902EF7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FD616 19_2_048FD616
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04856E30 19_2_04856E30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490DFCE 19_2_0490DFCE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04901FF1 19_2_04901FF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484B090 19_2_0484B090
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_049020A8 19_2_049020A8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_049028EC 19_2_049028EC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1002 19_2_048F1002
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490E824 19_2_0490E824
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483F900 19_2_0483F900
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04854120 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_049022AE 19_2_049022AE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048EFA2B 19_2_048EFA2B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486EBB0 19_2_0486EBB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F03DA 19_2_048F03DA
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FDBD2 19_2_048FDBD2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04902B28 19_2_04902B28
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D8920 19_2_032D8920
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EEB93 19_2_032EEB93
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EFAA0 19_2_032EFAA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032F02EF 19_2_032F02EF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032DE9E0 19_2_032DE9E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EEF76 19_2_032EEF76
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D2FB0 19_2_032D2FB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EFD3A 19_2_032EFD3A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D9DA0 19_2_032D9DA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D2D8F 19_2_032D2D8F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D9D9D 19_2_032D9D9D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D2D90 19_2_032D2D90
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EF4D3 19_2_032EF4D3
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 0483B150 appears 45 times
Source: C:\Users\user\Desktop\Packing list.exe Code function: String function: 01ABB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF99A0 NtCreateSection,LdrInitializeThunk, 8_2_01AF99A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_01AF9910
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF98F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_01AF98F0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01AF9860
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9840 NtDelayExecution,LdrInitializeThunk, 8_2_01AF9840
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9A20 NtResumeThread,LdrInitializeThunk, 8_2_01AF9A20
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_01AF9A00
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9A50 NtCreateFile,LdrInitializeThunk, 8_2_01AF9A50
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF95D0 NtClose,LdrInitializeThunk, 8_2_01AF95D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9540 NtReadFile,LdrInitializeThunk, 8_2_01AF9540
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF97A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_01AF97A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9780 NtMapViewOfSection,LdrInitializeThunk, 8_2_01AF9780
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9FE0 NtCreateMutant,LdrInitializeThunk, 8_2_01AF9FE0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9710 NtQueryInformationToken,LdrInitializeThunk, 8_2_01AF9710
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF96E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_01AF96E0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_01AF9660
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF99D0 NtCreateProcessEx, 8_2_01AF99D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9950 NtQueueApcThread, 8_2_01AF9950
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF98A0 NtWriteVirtualMemory, 8_2_01AF98A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9820 NtEnumerateKey, 8_2_01AF9820
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AFB040 NtSuspendThread, 8_2_01AFB040
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AFA3B0 NtGetContextThread, 8_2_01AFA3B0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9B00 NtSetValueKey, 8_2_01AF9B00
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9A80 NtOpenDirectoryObject, 8_2_01AF9A80
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9A10 NtQuerySection, 8_2_01AF9A10
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF95F0 NtQueryInformationFile, 8_2_01AF95F0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9520 NtWaitForSingleObject, 8_2_01AF9520
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AFAD30 NtSetContextThread, 8_2_01AFAD30
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9560 NtWriteFile, 8_2_01AF9560
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9730 NtQueryVirtualMemory, 8_2_01AF9730
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AFA710 NtOpenProcessToken, 8_2_01AFA710
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9760 NtOpenProcess, 8_2_01AF9760
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AFA770 NtOpenThread, 8_2_01AFA770
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9770 NtSetInformationFile, 8_2_01AF9770
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF96D0 NtCreateKey, 8_2_01AF96D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9610 NtEnumerateValueKey, 8_2_01AF9610
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9670 NtQueryInformationProcess, 8_2_01AF9670
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF9650 NtQueryValueKey, 8_2_01AF9650
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048795D0 NtClose,LdrInitializeThunk, 19_2_048795D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879540 NtReadFile,LdrInitializeThunk, 19_2_04879540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048796D0 NtCreateKey,LdrInitializeThunk, 19_2_048796D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048796E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_048796E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879650 NtQueryValueKey,LdrInitializeThunk, 19_2_04879650
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_04879660
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879780 NtMapViewOfSection,LdrInitializeThunk, 19_2_04879780
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879FE0 NtCreateMutant,LdrInitializeThunk, 19_2_04879FE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879710 NtQueryInformationToken,LdrInitializeThunk, 19_2_04879710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879840 NtDelayExecution,LdrInitializeThunk, 19_2_04879840
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_04879860
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048799A0 NtCreateSection,LdrInitializeThunk, 19_2_048799A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_04879910
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879A50 NtCreateFile,LdrInitializeThunk, 19_2_04879A50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048795F0 NtQueryInformationFile, 19_2_048795F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879520 NtWaitForSingleObject, 19_2_04879520
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0487AD30 NtSetContextThread, 19_2_0487AD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879560 NtWriteFile, 19_2_04879560
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879610 NtEnumerateValueKey, 19_2_04879610
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879670 NtQueryInformationProcess, 19_2_04879670
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048797A0 NtUnmapViewOfSection, 19_2_048797A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0487A710 NtOpenProcessToken, 19_2_0487A710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879730 NtQueryVirtualMemory, 19_2_04879730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879760 NtOpenProcess, 19_2_04879760
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0487A770 NtOpenThread, 19_2_0487A770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879770 NtSetInformationFile, 19_2_04879770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048798A0 NtWriteVirtualMemory, 19_2_048798A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048798F0 NtReadVirtualMemory, 19_2_048798F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879820 NtEnumerateKey, 19_2_04879820
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0487B040 NtSuspendThread, 19_2_0487B040
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048799D0 NtCreateProcessEx, 19_2_048799D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879950 NtQueueApcThread, 19_2_04879950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879A80 NtOpenDirectoryObject, 19_2_04879A80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879A00 NtProtectVirtualMemory, 19_2_04879A00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879A10 NtQuerySection, 19_2_04879A10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879A20 NtResumeThread, 19_2_04879A20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0487A3B0 NtGetContextThread, 19_2_0487A3B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04879B00 NtSetValueKey, 19_2_04879B00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB950 NtAllocateVirtualMemory, 19_2_032EB950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB820 NtReadFile, 19_2_032EB820
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB870 NtDeleteFile, 19_2_032EB870
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB8A0 NtClose, 19_2_032EB8A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB770 NtCreateFile, 19_2_032EB770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB86A NtDeleteFile, 19_2_032EB86A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB89A NtClose, 19_2_032EB89A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EB76A NtCreateFile, 19_2_032EB76A
Sample file is different than original file name gathered from version info
Source: Packing list.exe, 00000000.00000002.457845803.0000000001589000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.466545787.0000000004551000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.466545787.0000000004551000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.472987115.0000000007CD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000000.00000000.410358073.0000000000F46000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe, 00000000.00000003.446205184.0000000003A08000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000008.00000003.458924092.0000000001A10000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000002.566860104.0000000001BAF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000003.456310804.000000000186E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000002.562266975.00000000015B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameraserver.exej% vs Packing list.exe
Source: Packing list.exe Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jcWxLdFqdoHatB.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Packing list.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\Packing list.exe File read: C:\Users\user\Desktop\Packing list.exe Jump to behavior
Source: Packing list.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Packing list.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Packing list.exe "C:\Users\user\Desktop\Packing list.exe"
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Users\user\Desktop\Packing list.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Users\user\Desktop\Packing list.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe File created: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe File created: C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@3/0
Source: C:\Users\user\Desktop\Packing list.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Packing list.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Packing list.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Mutant created: \Sessions\1\BaseNamedObjects\JcKpFLwEHGkRAE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: Packing list.exe String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: Packing list.exe String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Packing list.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Packing list.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Packing list.exe, Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: Packing list.exe, AddCompanyForm.cs .Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: jcWxLdFqdoHatB.exe.0.dr, AddCompanyForm.cs .Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: 0.0.Packing list.exe.e70000.0.unpack, AddCompanyForm.cs .Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Packing list.exe Code function: 0_2_0867513D push FFFFFF8Bh; iretd 0_2_0867513F
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B0D0D1 push ecx; ret 8_2_01B0D0E4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0488D0D1 push ecx; ret 19_2_0488D0E4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EEB5C push eax; ret 19_2_032EEB62
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EEAA5 push eax; ret 19_2_032EEAF8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EEAFB push eax; ret 19_2_032EEB62
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032EEAF2 push eax; ret 19_2_032EEAF8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032E4126 push FFFFFF98h; ret 19_2_032E412A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032E919F push ss; retf 19_2_032E91AD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032E7F12 push ebx; iretd 19_2_032E7F19
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032ECD73 pushad ; iretd 19_2_032ECD74
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D3DD7 pushad ; ret 19_2_032D3DAD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_032D3C87 push cs; iretd 19_2_032D3C96
Source: initial sample Static PE information: section name: .text entropy: 7.781035493181961
Source: initial sample Static PE information: section name: .text entropy: 7.781035493181961
Drops PE files
Source: C:\Users\user\Desktop\Packing list.exe File created: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\raserver.exe File deleted: c:\users\user\desktop\packing list.exe Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Packing list.exe PID: 6064, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Packing list.exe, 00000000.00000002.463942931.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Packing list.exe, 00000000.00000002.463942931.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Packing list.exe TID: 6048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B85BA5 rdtsc 8_2_01B85BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Packing list.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Packing list.exe API coverage: 5.4 %
Source: C:\Windows\SysWOW64\raserver.exe API coverage: 9.3 %
Source: C:\Users\user\Desktop\Packing list.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.475254478.0000000006915000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.475637080.00000000069D0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B85BA5 rdtsc 8_2_01B85BA5
Enables debug privileges
Source: C:\Users\user\Desktop\Packing list.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h] 8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h] 8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h] 8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h] 8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE61A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE61A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE61A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE61A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B369A6 mov eax, dword ptr fs:[00000030h] 8_2_01B369A6
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEA185 mov eax, dword ptr fs:[00000030h] 8_2_01AEA185
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADC182 mov eax, dword ptr fs:[00000030h] 8_2_01ADC182
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2990 mov eax, dword ptr fs:[00000030h] 8_2_01AE2990
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h] 8_2_01ABB1E1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h] 8_2_01ABB1E1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h] 8_2_01ABB1E1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B441E8 mov eax, dword ptr fs:[00000030h] 8_2_01B441E8
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h] 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h] 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h] 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h] 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD4120 mov ecx, dword ptr fs:[00000030h] 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE513A mov eax, dword ptr fs:[00000030h] 8_2_01AE513A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE513A mov eax, dword ptr fs:[00000030h] 8_2_01AE513A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h] 8_2_01AB9100
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h] 8_2_01AB9100
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h] 8_2_01AB9100
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABC962 mov eax, dword ptr fs:[00000030h] 8_2_01ABC962
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABB171 mov eax, dword ptr fs:[00000030h] 8_2_01ABB171
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABB171 mov eax, dword ptr fs:[00000030h] 8_2_01ABB171
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADB944 mov eax, dword ptr fs:[00000030h] 8_2_01ADB944
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADB944 mov eax, dword ptr fs:[00000030h] 8_2_01ADB944
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF90AF mov eax, dword ptr fs:[00000030h] 8_2_01AF90AF
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h] 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEF0BF mov ecx, dword ptr fs:[00000030h] 8_2_01AEF0BF
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEF0BF mov eax, dword ptr fs:[00000030h] 8_2_01AEF0BF
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEF0BF mov eax, dword ptr fs:[00000030h] 8_2_01AEF0BF
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9080 mov eax, dword ptr fs:[00000030h] 8_2_01AB9080
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B33884 mov eax, dword ptr fs:[00000030h] 8_2_01B33884
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B33884 mov eax, dword ptr fs:[00000030h] 8_2_01B33884
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB58EC mov eax, dword ptr fs:[00000030h] 8_2_01AB58EC
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h] 8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4B8D0 mov ecx, dword ptr fs:[00000030h] 8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h] 8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h] 8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h] 8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h] 8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h] 8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h] 8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h] 8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h] 8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h] 8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h] 8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h] 8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h] 8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h] 8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h] 8_2_01B37016
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h] 8_2_01B37016
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h] 8_2_01B37016
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B84015 mov eax, dword ptr fs:[00000030h] 8_2_01B84015
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B84015 mov eax, dword ptr fs:[00000030h] 8_2_01B84015
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B72073 mov eax, dword ptr fs:[00000030h] 8_2_01B72073
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B81074 mov eax, dword ptr fs:[00000030h] 8_2_01B81074
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD0050 mov eax, dword ptr fs:[00000030h] 8_2_01AD0050
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD0050 mov eax, dword ptr fs:[00000030h] 8_2_01AD0050
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h] 8_2_01AE4BAD
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h] 8_2_01AE4BAD
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h] 8_2_01AE4BAD
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B85BA5 mov eax, dword ptr fs:[00000030h] 8_2_01B85BA5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC1B8F mov eax, dword ptr fs:[00000030h] 8_2_01AC1B8F
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC1B8F mov eax, dword ptr fs:[00000030h] 8_2_01AC1B8F
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B6D380 mov ecx, dword ptr fs:[00000030h] 8_2_01B6D380
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2397 mov eax, dword ptr fs:[00000030h] 8_2_01AE2397
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7138A mov eax, dword ptr fs:[00000030h] 8_2_01B7138A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEB390 mov eax, dword ptr fs:[00000030h] 8_2_01AEB390
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADDBE9 mov eax, dword ptr fs:[00000030h] 8_2_01ADDBE9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h] 8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h] 8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h] 8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h] 8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h] 8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h] 8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B353CA mov eax, dword ptr fs:[00000030h] 8_2_01B353CA
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B353CA mov eax, dword ptr fs:[00000030h] 8_2_01B353CA
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7131B mov eax, dword ptr fs:[00000030h] 8_2_01B7131B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABDB60 mov ecx, dword ptr fs:[00000030h] 8_2_01ABDB60
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE3B7A mov eax, dword ptr fs:[00000030h] 8_2_01AE3B7A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE3B7A mov eax, dword ptr fs:[00000030h] 8_2_01AE3B7A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B88B58 mov eax, dword ptr fs:[00000030h] 8_2_01B88B58
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABDB40 mov eax, dword ptr fs:[00000030h] 8_2_01ABDB40
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABF358 mov eax, dword ptr fs:[00000030h] 8_2_01ABF358
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h] 8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h] 8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h] 8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h] 8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h] 8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACAAB0 mov eax, dword ptr fs:[00000030h] 8_2_01ACAAB0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACAAB0 mov eax, dword ptr fs:[00000030h] 8_2_01ACAAB0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEFAB0 mov eax, dword ptr fs:[00000030h] 8_2_01AEFAB0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AED294 mov eax, dword ptr fs:[00000030h] 8_2_01AED294
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AED294 mov eax, dword ptr fs:[00000030h] 8_2_01AED294
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2AE4 mov eax, dword ptr fs:[00000030h] 8_2_01AE2AE4
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2ACB mov eax, dword ptr fs:[00000030h] 8_2_01AE2ACB
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF4A2C mov eax, dword ptr fs:[00000030h] 8_2_01AF4A2C
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF4A2C mov eax, dword ptr fs:[00000030h] 8_2_01AF4A2C
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7AA16 mov eax, dword ptr fs:[00000030h] 8_2_01B7AA16
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7AA16 mov eax, dword ptr fs:[00000030h] 8_2_01B7AA16
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC8A0A mov eax, dword ptr fs:[00000030h] 8_2_01AC8A0A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD3A1C mov eax, dword ptr fs:[00000030h] 8_2_01AD3A1C
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h] 8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB5210 mov ecx, dword ptr fs:[00000030h] 8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h] 8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h] 8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABAA16 mov eax, dword ptr fs:[00000030h] 8_2_01ABAA16
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABAA16 mov eax, dword ptr fs:[00000030h] 8_2_01ABAA16
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF927A mov eax, dword ptr fs:[00000030h] 8_2_01AF927A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B6B260 mov eax, dword ptr fs:[00000030h] 8_2_01B6B260
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B6B260 mov eax, dword ptr fs:[00000030h] 8_2_01B6B260
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B88A62 mov eax, dword ptr fs:[00000030h] 8_2_01B88A62
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7EA55 mov eax, dword ptr fs:[00000030h] 8_2_01B7EA55
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B44257 mov eax, dword ptr fs:[00000030h] 8_2_01B44257
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h] 8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h] 8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h] 8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h] 8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE35A1 mov eax, dword ptr fs:[00000030h] 8_2_01AE35A1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B805AC mov eax, dword ptr fs:[00000030h] 8_2_01B805AC
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B805AC mov eax, dword ptr fs:[00000030h] 8_2_01B805AC
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h] 8_2_01AE1DB5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h] 8_2_01AE1DB5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h] 8_2_01AE1DB5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h] 8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h] 8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h] 8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h] 8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h] 8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h] 8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h] 8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h] 8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h] 8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEFD9B mov eax, dword ptr fs:[00000030h] 8_2_01AEFD9B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEFD9B mov eax, dword ptr fs:[00000030h] 8_2_01AEFD9B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B68DF1 mov eax, dword ptr fs:[00000030h] 8_2_01B68DF1
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACD5E0 mov eax, dword ptr fs:[00000030h] 8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACD5E0 mov eax, dword ptr fs:[00000030h] 8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h] 8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h] 8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h] 8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h] 8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h] 8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h] 8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h] 8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36DC9 mov ecx, dword ptr fs:[00000030h] 8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h] 8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h] 8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B3A537 mov eax, dword ptr fs:[00000030h] 8_2_01B3A537
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B88D34 mov eax, dword ptr fs:[00000030h] 8_2_01B88D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7E539 mov eax, dword ptr fs:[00000030h] 8_2_01B7E539
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h] 8_2_01AE4D3B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h] 8_2_01AE4D3B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h] 8_2_01AE4D3B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h] 8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABAD30 mov eax, dword ptr fs:[00000030h] 8_2_01ABAD30
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADC577 mov eax, dword ptr fs:[00000030h] 8_2_01ADC577
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADC577 mov eax, dword ptr fs:[00000030h] 8_2_01ADC577
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF3D43 mov eax, dword ptr fs:[00000030h] 8_2_01AF3D43
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B33540 mov eax, dword ptr fs:[00000030h] 8_2_01B33540
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD7D50 mov eax, dword ptr fs:[00000030h] 8_2_01AD7D50
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC849B mov eax, dword ptr fs:[00000030h] 8_2_01AC849B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h] 8_2_01B36CF0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h] 8_2_01B36CF0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h] 8_2_01B36CF0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B714FB mov eax, dword ptr fs:[00000030h] 8_2_01B714FB
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B88CD6 mov eax, dword ptr fs:[00000030h] 8_2_01B88CD6
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEBC2C mov eax, dword ptr fs:[00000030h] 8_2_01AEBC2C
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h] 8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h] 8_2_01B8740D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h] 8_2_01B8740D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h] 8_2_01B8740D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h] 8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h] 8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h] 8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h] 8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AD746D mov eax, dword ptr fs:[00000030h] 8_2_01AD746D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4C450 mov eax, dword ptr fs:[00000030h] 8_2_01B4C450
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4C450 mov eax, dword ptr fs:[00000030h] 8_2_01B4C450
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEA44B mov eax, dword ptr fs:[00000030h] 8_2_01AEA44B
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h] 8_2_01B37794
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h] 8_2_01B37794
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h] 8_2_01B37794
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC8794 mov eax, dword ptr fs:[00000030h] 8_2_01AC8794
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF37F5 mov eax, dword ptr fs:[00000030h] 8_2_01AF37F5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB4F2E mov eax, dword ptr fs:[00000030h] 8_2_01AB4F2E
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AB4F2E mov eax, dword ptr fs:[00000030h] 8_2_01AB4F2E
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEE730 mov eax, dword ptr fs:[00000030h] 8_2_01AEE730
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEA70E mov eax, dword ptr fs:[00000030h] 8_2_01AEA70E
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEA70E mov eax, dword ptr fs:[00000030h] 8_2_01AEA70E
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4FF10 mov eax, dword ptr fs:[00000030h] 8_2_01B4FF10
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4FF10 mov eax, dword ptr fs:[00000030h] 8_2_01B4FF10
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B8070D mov eax, dword ptr fs:[00000030h] 8_2_01B8070D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B8070D mov eax, dword ptr fs:[00000030h] 8_2_01B8070D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADF716 mov eax, dword ptr fs:[00000030h] 8_2_01ADF716
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACFF60 mov eax, dword ptr fs:[00000030h] 8_2_01ACFF60
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B88F6A mov eax, dword ptr fs:[00000030h] 8_2_01B88F6A
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ACEF40 mov eax, dword ptr fs:[00000030h] 8_2_01ACEF40
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B346A7 mov eax, dword ptr fs:[00000030h] 8_2_01B346A7
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h] 8_2_01B80EA5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h] 8_2_01B80EA5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h] 8_2_01B80EA5
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B4FE87 mov eax, dword ptr fs:[00000030h] 8_2_01B4FE87
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE16E0 mov ecx, dword ptr fs:[00000030h] 8_2_01AE16E0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC76E2 mov eax, dword ptr fs:[00000030h] 8_2_01AC76E2
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE36CC mov eax, dword ptr fs:[00000030h] 8_2_01AE36CC
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF8EC7 mov eax, dword ptr fs:[00000030h] 8_2_01AF8EC7
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B88ED6 mov eax, dword ptr fs:[00000030h] 8_2_01B88ED6
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B6FEC0 mov eax, dword ptr fs:[00000030h] 8_2_01B6FEC0
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B6FE3F mov eax, dword ptr fs:[00000030h] 8_2_01B6FE3F
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABE620 mov eax, dword ptr fs:[00000030h] 8_2_01ABE620
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h] 8_2_01ABC600
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h] 8_2_01ABC600
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h] 8_2_01ABC600
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AE8E00 mov eax, dword ptr fs:[00000030h] 8_2_01AE8E00
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEA61C mov eax, dword ptr fs:[00000030h] 8_2_01AEA61C
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AEA61C mov eax, dword ptr fs:[00000030h] 8_2_01AEA61C
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B71608 mov eax, dword ptr fs:[00000030h] 8_2_01B71608
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC766D mov eax, dword ptr fs:[00000030h] 8_2_01AC766D
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h] 8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h] 8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h] 8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h] 8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h] 8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h] 8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h] 8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h] 8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h] 8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h] 8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h] 8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7AE44 mov eax, dword ptr fs:[00000030h] 8_2_01B7AE44
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01B7AE44 mov eax, dword ptr fs:[00000030h] 8_2_01B7AE44
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484849B mov eax, dword ptr fs:[00000030h] 19_2_0484849B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04908CD6 mov eax, dword ptr fs:[00000030h] 19_2_04908CD6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F14FB mov eax, dword ptr fs:[00000030h] 19_2_048F14FB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h] 19_2_048B6CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h] 19_2_048B6CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h] 19_2_048B6CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h] 19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h] 19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h] 19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h] 19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h] 19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h] 19_2_0490740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h] 19_2_0490740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h] 19_2_0490740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486BC2C mov eax, dword ptr fs:[00000030h] 19_2_0486BC2C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486A44B mov eax, dword ptr fs:[00000030h] 19_2_0486A44B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CC450 mov eax, dword ptr fs:[00000030h] 19_2_048CC450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CC450 mov eax, dword ptr fs:[00000030h] 19_2_048CC450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485746D mov eax, dword ptr fs:[00000030h] 19_2_0485746D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h] 19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h] 19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h] 19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h] 19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h] 19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h] 19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h] 19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h] 19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h] 19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486FD9B mov eax, dword ptr fs:[00000030h] 19_2_0486FD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486FD9B mov eax, dword ptr fs:[00000030h] 19_2_0486FD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048635A1 mov eax, dword ptr fs:[00000030h] 19_2_048635A1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h] 19_2_04861DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h] 19_2_04861DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h] 19_2_04861DB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_049005AC mov eax, dword ptr fs:[00000030h] 19_2_049005AC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_049005AC mov eax, dword ptr fs:[00000030h] 19_2_049005AC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6DC9 mov ecx, dword ptr fs:[00000030h] 19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484D5E0 mov eax, dword ptr fs:[00000030h] 19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484D5E0 mov eax, dword ptr fs:[00000030h] 19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048E8DF1 mov eax, dword ptr fs:[00000030h] 19_2_048E8DF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04908D34 mov eax, dword ptr fs:[00000030h] 19_2_04908D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h] 19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483AD30 mov eax, dword ptr fs:[00000030h] 19_2_0483AD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FE539 mov eax, dword ptr fs:[00000030h] 19_2_048FE539
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048BA537 mov eax, dword ptr fs:[00000030h] 19_2_048BA537
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h] 19_2_04864D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h] 19_2_04864D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h] 19_2_04864D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04873D43 mov eax, dword ptr fs:[00000030h] 19_2_04873D43
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B3540 mov eax, dword ptr fs:[00000030h] 19_2_048B3540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048E3D40 mov eax, dword ptr fs:[00000030h] 19_2_048E3D40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04857D50 mov eax, dword ptr fs:[00000030h] 19_2_04857D50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485C577 mov eax, dword ptr fs:[00000030h] 19_2_0485C577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485C577 mov eax, dword ptr fs:[00000030h] 19_2_0485C577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CFE87 mov eax, dword ptr fs:[00000030h] 19_2_048CFE87
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B46A7 mov eax, dword ptr fs:[00000030h] 19_2_048B46A7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h] 19_2_04900EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h] 19_2_04900EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h] 19_2_04900EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04878EC7 mov eax, dword ptr fs:[00000030h] 19_2_04878EC7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04908ED6 mov eax, dword ptr fs:[00000030h] 19_2_04908ED6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048636CC mov eax, dword ptr fs:[00000030h] 19_2_048636CC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048EFEC0 mov eax, dword ptr fs:[00000030h] 19_2_048EFEC0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048616E0 mov ecx, dword ptr fs:[00000030h] 19_2_048616E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048476E2 mov eax, dword ptr fs:[00000030h] 19_2_048476E2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h] 19_2_0483C600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h] 19_2_0483C600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h] 19_2_0483C600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04868E00 mov eax, dword ptr fs:[00000030h] 19_2_04868E00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F1608 mov eax, dword ptr fs:[00000030h] 19_2_048F1608
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486A61C mov eax, dword ptr fs:[00000030h] 19_2_0486A61C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486A61C mov eax, dword ptr fs:[00000030h] 19_2_0486A61C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483E620 mov eax, dword ptr fs:[00000030h] 19_2_0483E620
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048EFE3F mov eax, dword ptr fs:[00000030h] 19_2_048EFE3F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h] 19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h] 19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h] 19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h] 19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h] 19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h] 19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FAE44 mov eax, dword ptr fs:[00000030h] 19_2_048FAE44
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048FAE44 mov eax, dword ptr fs:[00000030h] 19_2_048FAE44
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484766D mov eax, dword ptr fs:[00000030h] 19_2_0484766D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h] 19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h] 19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h] 19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h] 19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h] 19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04848794 mov eax, dword ptr fs:[00000030h] 19_2_04848794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h] 19_2_048B7794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h] 19_2_048B7794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h] 19_2_048B7794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048737F5 mov eax, dword ptr fs:[00000030h] 19_2_048737F5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486A70E mov eax, dword ptr fs:[00000030h] 19_2_0486A70E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486A70E mov eax, dword ptr fs:[00000030h] 19_2_0486A70E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485F716 mov eax, dword ptr fs:[00000030h] 19_2_0485F716
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CFF10 mov eax, dword ptr fs:[00000030h] 19_2_048CFF10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CFF10 mov eax, dword ptr fs:[00000030h] 19_2_048CFF10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490070D mov eax, dword ptr fs:[00000030h] 19_2_0490070D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0490070D mov eax, dword ptr fs:[00000030h] 19_2_0490070D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04834F2E mov eax, dword ptr fs:[00000030h] 19_2_04834F2E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04834F2E mov eax, dword ptr fs:[00000030h] 19_2_04834F2E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486E730 mov eax, dword ptr fs:[00000030h] 19_2_0486E730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484EF40 mov eax, dword ptr fs:[00000030h] 19_2_0484EF40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484FF60 mov eax, dword ptr fs:[00000030h] 19_2_0484FF60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04908F6A mov eax, dword ptr fs:[00000030h] 19_2_04908F6A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04839080 mov eax, dword ptr fs:[00000030h] 19_2_04839080
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B3884 mov eax, dword ptr fs:[00000030h] 19_2_048B3884
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B3884 mov eax, dword ptr fs:[00000030h] 19_2_048B3884
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h] 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h] 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h] 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h] 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h] 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h] 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048790AF mov eax, dword ptr fs:[00000030h] 19_2_048790AF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486F0BF mov ecx, dword ptr fs:[00000030h] 19_2_0486F0BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486F0BF mov eax, dword ptr fs:[00000030h] 19_2_0486F0BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486F0BF mov eax, dword ptr fs:[00000030h] 19_2_0486F0BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CB8D0 mov ecx, dword ptr fs:[00000030h] 19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h] 19_2_048340E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h] 19_2_048340E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h] 19_2_048340E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048358EC mov eax, dword ptr fs:[00000030h] 19_2_048358EC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04904015 mov eax, dword ptr fs:[00000030h] 19_2_04904015
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04904015 mov eax, dword ptr fs:[00000030h] 19_2_04904015
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h] 19_2_048B7016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h] 19_2_048B7016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h] 19_2_048B7016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h] 19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h] 19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h] 19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h] 19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h] 19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h] 19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h] 19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h] 19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h] 19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04850050 mov eax, dword ptr fs:[00000030h] 19_2_04850050
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04850050 mov eax, dword ptr fs:[00000030h] 19_2_04850050
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04901074 mov eax, dword ptr fs:[00000030h] 19_2_04901074
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F2073 mov eax, dword ptr fs:[00000030h] 19_2_048F2073
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486A185 mov eax, dword ptr fs:[00000030h] 19_2_0486A185
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485C182 mov eax, dword ptr fs:[00000030h] 19_2_0485C182
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862990 mov eax, dword ptr fs:[00000030h] 19_2_04862990
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048661A0 mov eax, dword ptr fs:[00000030h] 19_2_048661A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048661A0 mov eax, dword ptr fs:[00000030h] 19_2_048661A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h] 19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h] 19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h] 19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h] 19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B69A6 mov eax, dword ptr fs:[00000030h] 19_2_048B69A6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h] 19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h] 19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h] 19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h] 19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h] 19_2_0483B1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h] 19_2_0483B1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h] 19_2_0483B1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048C41E8 mov eax, dword ptr fs:[00000030h] 19_2_048C41E8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h] 19_2_04839100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h] 19_2_04839100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h] 19_2_04839100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h] 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h] 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h] 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h] 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04854120 mov ecx, dword ptr fs:[00000030h] 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486513A mov eax, dword ptr fs:[00000030h] 19_2_0486513A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486513A mov eax, dword ptr fs:[00000030h] 19_2_0486513A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485B944 mov eax, dword ptr fs:[00000030h] 19_2_0485B944
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0485B944 mov eax, dword ptr fs:[00000030h] 19_2_0485B944
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483C962 mov eax, dword ptr fs:[00000030h] 19_2_0483C962
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483B171 mov eax, dword ptr fs:[00000030h] 19_2_0483B171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483B171 mov eax, dword ptr fs:[00000030h] 19_2_0483B171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486D294 mov eax, dword ptr fs:[00000030h] 19_2_0486D294
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486D294 mov eax, dword ptr fs:[00000030h] 19_2_0486D294
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h] 19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h] 19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h] 19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h] 19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h] 19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484AAB0 mov eax, dword ptr fs:[00000030h] 19_2_0484AAB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0484AAB0 mov eax, dword ptr fs:[00000030h] 19_2_0484AAB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0486FAB0 mov eax, dword ptr fs:[00000030h] 19_2_0486FAB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862ACB mov eax, dword ptr fs:[00000030h] 19_2_04862ACB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04862AE4 mov eax, dword ptr fs:[00000030h] 19_2_04862AE4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04848A0A mov eax, dword ptr fs:[00000030h] 19_2_04848A0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h] 19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04835210 mov ecx, dword ptr fs:[00000030h] 19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h] 19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h] 19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483AA16 mov eax, dword ptr fs:[00000030h] 19_2_0483AA16
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_0483AA16 mov eax, dword ptr fs:[00000030h] 19_2_0483AA16
Source: C:\Windows\SysWOW64\raserver.exe Code function: 19_2_04853A1C mov eax, dword ptr fs:[00000030h] 19_2_04853A1C
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Packing list.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Packing list.exe Code function: 8_2_01AF99A0 NtCreateSection,LdrInitializeThunk, 8_2_01AF99A0
Source: C:\Users\user\Desktop\Packing list.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.chillsafe.online
Source: C:\Windows\explorer.exe Domain query: www.alshared.info
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Packing list.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 350000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Packing list.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Packing list.exe Memory written: C:\Users\user\Desktop\Packing list.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Packing list.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Packing list.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Thread register set: target process: 684 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Process created: C:\Users\user\Desktop\Packing list.exe {path} Jump to behavior
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475161545.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.486817000.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528908599.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.505932724.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.505932724.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Users\user\Desktop\Packing list.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680524 Sample: Packing list.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 33 www.rewaard.club 2->33 35 rewaard.club 2->35 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 9 other signatures 2->47 9 Packing list.exe 6 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\jcWxLdFqdoHatB.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\Local\...\tmp7D6D.tmp, XML 9->29 dropped 31 C:\Users\user\...\Packing list.exe.log, ASCII 9->31 dropped 57 Injects a PE file into a foreign processes 9->57 13 Packing list.exe 9->13         started        16 schtasks.exe 1 9->16         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process9 dnsIp10 37 www.chillsafe.online 18->37 39 www.alshared.info 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 24 raserver.exe 18->24         started        signatures11 process12 signatures13 51 Deletes itself after installation 24->51 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55
No contacted IP infos

Contacted Domains

Name IP Active
rewaard.club 185.192.114.83 true
www.chillsafe.online unknown unknown
www.rewaard.club unknown unknown
www.alshared.info unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.pahunt.org/umhl/ true
  • Avira URL Cloud: malware
 low