Windows Analysis Report
Packing list.exe

Antivirus detection for URL or domain

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: www.pahunt.org/umhl/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: Packing list.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Joe Sandbox ML: detected

Source: 8.0.Packing list.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pahunt.org/umhl/"], "decoy": ["mB8gvYWKNnd+6kcRK8M=", "7zn0DtefQVZc3UcRK8M=", "qj9AgFfem/K5", "7W+k2buMQnZxzkqW8v2wDA==", "BXmNsJSLLt9UZYuO3C2l", "PHnylup3Ec5YTj8qPV+8", "5wuv0g7RYfoLhg==", "qy3Wf2Qv9yamjg==", "EWjULZ91La2UEjQ=", "aN2KCV/tiOP2gyVROJbK2Fg=", "a9tVEduGJF1q4GcHnr2dBg==", "111flmRlGlRY0vPmzRR63KW1wyqR6Q==", "f7+r8NeWp+WZYf6D8v2wDA==", "LGG2X0VJ1rSPHL0Yd/60", "A21qVr1P5aZSS/pCOZbK2Fg=", "W7uNpIBT4NZ+WoHtRGa+", "YpWyeGx/Qx22izPhZenb5O65", "xPm54b/IeWRI4IYqPV+8", "gtxoMfmYZ0HgmQ==", "LMlLAuXndyCmnEXPMpdwBwxB0g==", "siWU81PxsC+0oEWT8v2wDA==", "ks2JuqR+Kkb324cqPV+8", "7CHy2pNs9fzthn43", "uTnZelYp9yamjg==", "FYR8ZtIuEACu", "QV+IJwsM0kTK+2oVgQ==", "I60qeTRmGDxa4UcRK8M=", "bI7FSA8i5lsh0IMkgw==", "fPDj0E0bvTlUwOLGFVq2", "oOS6vYWSNl3Gn4c1", "MMijCmIt6ShS2/7z4Dvb5O65", "hMS597ZZ/MZLKR7nZ54/kNuz", "K2nSnIFmKWqgHFcyv/imbncPSqo=", "4Xb7v/PEdz7Y+2oVgQ==", "Vt2QCbF0aJ4=", "m9VmkEwbxnIa/p3YBFc98Gux", "Q7lAGwwBhTLthn43", "DlGQCZkaysdZJh8yWdKN6m+x", "CF0uM/wT2M7JHzQqPV+8", "1wevt3hI3tPaR2ozyQe1it7fHPg/eczb", "qxcRVQuWHw1MKdA4", "dMADqcZ+K4I=", "H3ZFO+VrJQ6lnpmPa5bK2Fg=", "I2NcqXM1zEPK+2oVgQ==", "XoQXQA0PxDRI+2oVgQ==", "9VDJi2RwODvp3Hz5d+nb5O65", "H4PEOo8dwjlj9KRE8v2wDA==", "fq1yc81rHThNtiRPOJbK2Fg=", "90u1gKqiSJc=", "HnInjdeMNq2UEjQ=", "3O7PDrhF5tWQl8Iwiw==", "AXuXhUUotKqgEHuvpP/GHaUbXbTp8o5Lpg==", "edtWHfXmei7thn43", "1vdgIc5iAGSI60cRK8M=", "sj5/NqAuEACu", "dpQOonl8Rr7LGTZGYZX9RTsVSrM=", "rt0X7dDlpHsQFcJC8v2wDA==", "+nf/2b/GeGL/AHBFB0erBoHNITKM4Q==", "MLMz38fRYBvGpEWX8v2wDA==", "I186c0wbqBqOlnEPXsSi6j64nGru", "CipT7MK3Xrk2U7YQJHvxBA==", "2k/ZrIpV38eJR3Au", "83OJo30uEACu", "yva3tQ7Zsm36/6Qbgtk8EOkFF2SA6Q=="]}

Source: Packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Packing list.exe, Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086745A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086745B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi	19_2_032D8920
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi	19_2_032D439F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi	19_2_032D891F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi	19_2_032D8911

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.chillsafe.online
Source: C:\Windows\explorer.exe	Domain query: www.alshared.info

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.pahunt.org/umhl/

Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comRes
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coma-dY
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comC
Source: Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417011575.000000000610B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Packing list.exe, 00000000.00000003.417047585.0000000006105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn$
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnx

Source: unknown

DNS traffic detected: queries for: www.chillsafe.online

Source: Packing list.exe, 00000000.00000002.457845803.0000000001589000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Packing list.exe.33f638c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Packing list.exe PID: 1320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 3856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large strings

Source: Packing list.exe, AddCompanyForm.cs	Long String: Length: 20037
Source: jcWxLdFqdoHatB.exe.0.dr, AddCompanyForm.cs	Long String: Length: 20037
Source: 0.0.Packing list.exe.e70000.0.unpack, AddCompanyForm.cs	Long String: Length: 20037

Source: Packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Packing list.exe.33f638c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Packing list.exe PID: 6064, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: Packing list.exe PID: 1320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 3856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0339E820	0_2_0339E820
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0339E810	0_2_0339E810
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0339BF54	0_2_0339BF54
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE63F8	0_2_07DE63F8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE2D00	0_2_07DE2D00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4B00	0_2_07DE4B00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE9608	0_2_07DE9608
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE5550	0_2_07DE5550
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DED320	0_2_07DED320
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE3EE0	0_2_07DE3EE0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8640	0_2_07DE8640
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8632	0_2_07DE8632
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8410	0_2_07DE8410
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8420	0_2_07DE8420
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE63D5	0_2_07DE63D5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DEC3E8	0_2_07DEC3E8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE6308	0_2_07DE6308
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DEE338	0_2_07DEE338
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4FB0	0_2_07DE4FB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4FA0	0_2_07DE4FA0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4AF1	0_2_07DE4AF1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8A58	0_2_07DE8A58
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DECA40	0_2_07DECA40
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8A68	0_2_07DE8A68
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE885B	0_2_07DE885B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8868	0_2_07DE8868
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE95D1	0_2_07DE95D1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE5543	0_2_07DE5543
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE32D8	0_2_07DE32D8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE32E8	0_2_07DE32E8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE7090	0_2_07DE7090
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE3E08	0_2_07DE3E08
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DEDD30	0_2_07DEDD30
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DED828	0_2_07DED828
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_08670040	0_2_08670040
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_08670011	0_2_08670011
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_08670040	0_2_08670040
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120	8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABF900	8_2_01ABF900
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B820A8	8_2_01B820A8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB090	8_2_01ACB090
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B828EC	8_2_01B828EC
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71002	8_2_01B71002
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEEBB0	8_2_01AEEBB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7DBD2	8_2_01B7DBD2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B82B28	8_2_01B82B28
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B822AE	8_2_01B822AE
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581	8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACD5E0	8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B825DD	8_2_01B825DD
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB0D20	8_2_01AB0D20
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B82D07	8_2_01B82D07
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B81D55	8_2_01B81D55
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC841F	8_2_01AC841F
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7D466	8_2_01B7D466
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B81FF1	8_2_01B81FF1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B82EF7	8_2_01B82EF7
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD6E30	8_2_01AD6E30
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7D616	8_2_01B7D616
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_004202EF	8_2_004202EF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484841F	19_2_0484841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FD466	19_2_048FD466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581	19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049025DD	19_2_049025DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484D5E0	19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04902D07	19_2_04902D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04830D20	19_2_04830D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04901D55	19_2_04901D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04902EF7	19_2_04902EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FD616	19_2_048FD616
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04856E30	19_2_04856E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490DFCE	19_2_0490DFCE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04901FF1	19_2_04901FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B090	19_2_0484B090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049020A8	19_2_049020A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049028EC	19_2_049028EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1002	19_2_048F1002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490E824	19_2_0490E824
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483F900	19_2_0483F900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120	19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049022AE	19_2_049022AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048EFA2B	19_2_048EFA2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486EBB0	19_2_0486EBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F03DA	19_2_048F03DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FDBD2	19_2_048FDBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04902B28	19_2_04902B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D8920	19_2_032D8920
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEB93	19_2_032EEB93
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EFAA0	19_2_032EFAA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032F02EF	19_2_032F02EF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032DE9E0	19_2_032DE9E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEF76	19_2_032EEF76
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D2FB0	19_2_032D2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EFD3A	19_2_032EFD3A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D9DA0	19_2_032D9DA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D2D8F	19_2_032D2D8F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D9D9D	19_2_032D9D9D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D2D90	19_2_032D2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EF4D3	19_2_032EF4D3

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0483B150 appears 45 times
Source: C:\Users\user\Desktop\Packing list.exe	Code function: String function: 01ABB150 appears 35 times

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF99A0 NtCreateSection,LdrInitializeThunk,	8_2_01AF99A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01AF9910
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF98F0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_01AF98F0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01AF9860
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9840 NtDelayExecution,LdrInitializeThunk,	8_2_01AF9840
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A20 NtResumeThread,LdrInitializeThunk,	8_2_01AF9A20
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_01AF9A00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A50 NtCreateFile,LdrInitializeThunk,	8_2_01AF9A50
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF95D0 NtClose,LdrInitializeThunk,	8_2_01AF95D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9540 NtReadFile,LdrInitializeThunk,	8_2_01AF9540
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_01AF97A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9780 NtMapViewOfSection,LdrInitializeThunk,	8_2_01AF9780
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9FE0 NtCreateMutant,LdrInitializeThunk,	8_2_01AF9FE0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9710 NtQueryInformationToken,LdrInitializeThunk,	8_2_01AF9710
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01AF96E0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01AF9660
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF99D0 NtCreateProcessEx,	8_2_01AF99D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9950 NtQueueApcThread,	8_2_01AF9950
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF98A0 NtWriteVirtualMemory,	8_2_01AF98A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9820 NtEnumerateKey,	8_2_01AF9820
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFB040 NtSuspendThread,	8_2_01AFB040
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFA3B0 NtGetContextThread,	8_2_01AFA3B0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9B00 NtSetValueKey,	8_2_01AF9B00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A80 NtOpenDirectoryObject,	8_2_01AF9A80
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A10 NtQuerySection,	8_2_01AF9A10
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF95F0 NtQueryInformationFile,	8_2_01AF95F0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9520 NtWaitForSingleObject,	8_2_01AF9520
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFAD30 NtSetContextThread,	8_2_01AFAD30
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9560 NtWriteFile,	8_2_01AF9560
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9730 NtQueryVirtualMemory,	8_2_01AF9730
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFA710 NtOpenProcessToken,	8_2_01AFA710
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9760 NtOpenProcess,	8_2_01AF9760
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFA770 NtOpenThread,	8_2_01AFA770
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9770 NtSetInformationFile,	8_2_01AF9770
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF96D0 NtCreateKey,	8_2_01AF96D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9610 NtEnumerateValueKey,	8_2_01AF9610
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9670 NtQueryInformationProcess,	8_2_01AF9670
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9650 NtQueryValueKey,	8_2_01AF9650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048795D0 NtClose,LdrInitializeThunk,	19_2_048795D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879540 NtReadFile,LdrInitializeThunk,	19_2_04879540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048796D0 NtCreateKey,LdrInitializeThunk,	19_2_048796D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048796E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_048796E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879650 NtQueryValueKey,LdrInitializeThunk,	19_2_04879650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_04879660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879780 NtMapViewOfSection,LdrInitializeThunk,	19_2_04879780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879FE0 NtCreateMutant,LdrInitializeThunk,	19_2_04879FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879710 NtQueryInformationToken,LdrInitializeThunk,	19_2_04879710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879840 NtDelayExecution,LdrInitializeThunk,	19_2_04879840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_04879860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048799A0 NtCreateSection,LdrInitializeThunk,	19_2_048799A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_04879910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A50 NtCreateFile,LdrInitializeThunk,	19_2_04879A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048795F0 NtQueryInformationFile,	19_2_048795F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879520 NtWaitForSingleObject,	19_2_04879520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487AD30 NtSetContextThread,	19_2_0487AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879560 NtWriteFile,	19_2_04879560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879610 NtEnumerateValueKey,	19_2_04879610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879670 NtQueryInformationProcess,	19_2_04879670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048797A0 NtUnmapViewOfSection,	19_2_048797A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487A710 NtOpenProcessToken,	19_2_0487A710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879730 NtQueryVirtualMemory,	19_2_04879730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879760 NtOpenProcess,	19_2_04879760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487A770 NtOpenThread,	19_2_0487A770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879770 NtSetInformationFile,	19_2_04879770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048798A0 NtWriteVirtualMemory,	19_2_048798A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048798F0 NtReadVirtualMemory,	19_2_048798F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879820 NtEnumerateKey,	19_2_04879820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487B040 NtSuspendThread,	19_2_0487B040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048799D0 NtCreateProcessEx,	19_2_048799D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879950 NtQueueApcThread,	19_2_04879950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A80 NtOpenDirectoryObject,	19_2_04879A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A00 NtProtectVirtualMemory,	19_2_04879A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A10 NtQuerySection,	19_2_04879A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A20 NtResumeThread,	19_2_04879A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487A3B0 NtGetContextThread,	19_2_0487A3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879B00 NtSetValueKey,	19_2_04879B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB950 NtAllocateVirtualMemory,	19_2_032EB950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB820 NtReadFile,	19_2_032EB820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB870 NtDeleteFile,	19_2_032EB870
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB8A0 NtClose,	19_2_032EB8A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB770 NtCreateFile,	19_2_032EB770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB86A NtDeleteFile,	19_2_032EB86A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB89A NtClose,	19_2_032EB89A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB76A NtCreateFile,	19_2_032EB76A

Source: Packing list.exe, 00000000.00000002.457845803.0000000001589000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.466545787.0000000004551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.466545787.0000000004551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.472987115.0000000007CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000000.00000000.410358073.0000000000F46000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe, 00000000.00000003.446205184.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000008.00000003.458924092.0000000001A10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000002.566860104.0000000001BAF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000003.456310804.000000000186E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000002.562266975.00000000015B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs Packing list.exe
Source: Packing list.exe	Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe

Source: Packing list.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jcWxLdFqdoHatB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Packing list.exe

Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\Packing list.exe

File read: C:\Users\user\Desktop\Packing list.exe

Source: Packing list.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Packing list.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Packing list.exe "C:\Users\user\Desktop\Packing list.exe"
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Users\user\Desktop\Packing list.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Users\user\Desktop\Packing list.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Packing list.exe

File created: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Source: C:\Users\user\Desktop\Packing list.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@3/0

Source: C:\Users\user\Desktop\Packing list.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: Packing list.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe	Mutant created: \Sessions\1\BaseNamedObjects\JcKpFLwEHGkRAE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01

Source: Packing list.exe	String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: Packing list.exe	String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: Packing list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Packing list.exe, Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: Packing list.exe, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: jcWxLdFqdoHatB.exe.0.dr, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: 0.0.Packing list.exe.e70000.0.unpack, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0867513D push FFFFFF8Bh; iretd	0_2_0867513F
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B0D0D1 push ecx; ret	8_2_01B0D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0488D0D1 push ecx; ret	19_2_0488D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEB5C push eax; ret	19_2_032EEB62
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEAA5 push eax; ret	19_2_032EEAF8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEAFB push eax; ret	19_2_032EEB62
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEAF2 push eax; ret	19_2_032EEAF8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032E4126 push FFFFFF98h; ret	19_2_032E412A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032E919F push ss; retf	19_2_032E91AD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032E7F12 push ebx; iretd	19_2_032E7F19
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032ECD73 pushad ; iretd	19_2_032ECD74
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D3DD7 pushad ; ret	19_2_032D3DAD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D3C87 push cs; iretd	19_2_032D3C96

Source: initial sample	Static PE information: section name: .text entropy: 7.781035493181961
Source: initial sample	Static PE information: section name: .text entropy: 7.781035493181961

Source: C:\Users\user\Desktop\Packing list.exe

File created: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Packing list.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\raserver.exe

File deleted: c:\users\user\desktop\packing list.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Packing list.exe PID: 6064, type: MEMORYSTR

Source: Packing list.exe, 00000000.00000002.463942931.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Packing list.exe, 00000000.00000002.463942931.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Packing list.exe TID: 6048

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Packing list.exe

Code function: 8_2_01B85BA5 rdtsc

8_2_01B85BA5

Source: C:\Users\user\Desktop\Packing list.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Packing list.exe	API coverage: 5.4 %
Source: C:\Windows\SysWOW64\raserver.exe	API coverage: 9.3 %

Source: C:\Users\user\Desktop\Packing list.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Packing list.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.475254478.0000000006915000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.475637080.00000000069D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\Packing list.exe

Code function: 8_2_01B85BA5 rdtsc

8_2_01B85BA5

Source: C:\Users\user\Desktop\Packing list.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]	8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]	8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]	8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]	8_2_01B351BE
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE61A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE61A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE61A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE61A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B369A6 mov eax, dword ptr fs:[00000030h]	8_2_01B369A6
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA185 mov eax, dword ptr fs:[00000030h]	8_2_01AEA185
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADC182 mov eax, dword ptr fs:[00000030h]	8_2_01ADC182
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2990 mov eax, dword ptr fs:[00000030h]	8_2_01AE2990
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h]	8_2_01ABB1E1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h]	8_2_01ABB1E1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h]	8_2_01ABB1E1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B441E8 mov eax, dword ptr fs:[00000030h]	8_2_01B441E8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]	8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]	8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]	8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]	8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov ecx, dword ptr fs:[00000030h]	8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE513A mov eax, dword ptr fs:[00000030h]	8_2_01AE513A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE513A mov eax, dword ptr fs:[00000030h]	8_2_01AE513A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h]	8_2_01AB9100
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h]	8_2_01AB9100
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h]	8_2_01AB9100
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC962 mov eax, dword ptr fs:[00000030h]	8_2_01ABC962
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB171 mov eax, dword ptr fs:[00000030h]	8_2_01ABB171
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB171 mov eax, dword ptr fs:[00000030h]	8_2_01ABB171
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADB944 mov eax, dword ptr fs:[00000030h]	8_2_01ADB944
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADB944 mov eax, dword ptr fs:[00000030h]	8_2_01ADB944
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF90AF mov eax, dword ptr fs:[00000030h]	8_2_01AF90AF
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]	8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEF0BF mov ecx, dword ptr fs:[00000030h]	8_2_01AEF0BF
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEF0BF mov eax, dword ptr fs:[00000030h]	8_2_01AEF0BF
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEF0BF mov eax, dword ptr fs:[00000030h]	8_2_01AEF0BF
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9080 mov eax, dword ptr fs:[00000030h]	8_2_01AB9080
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B33884 mov eax, dword ptr fs:[00000030h]	8_2_01B33884
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B33884 mov eax, dword ptr fs:[00000030h]	8_2_01B33884
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB58EC mov eax, dword ptr fs:[00000030h]	8_2_01AB58EC
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]	8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov ecx, dword ptr fs:[00000030h]	8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]	8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]	8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]	8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]	8_2_01B4B8D0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]	8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]	8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]	8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]	8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]	8_2_01AE002D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]	8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]	8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]	8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]	8_2_01ACB02A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h]	8_2_01B37016
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h]	8_2_01B37016
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h]	8_2_01B37016
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B84015 mov eax, dword ptr fs:[00000030h]	8_2_01B84015
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B84015 mov eax, dword ptr fs:[00000030h]	8_2_01B84015
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B72073 mov eax, dword ptr fs:[00000030h]	8_2_01B72073
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B81074 mov eax, dword ptr fs:[00000030h]	8_2_01B81074
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD0050 mov eax, dword ptr fs:[00000030h]	8_2_01AD0050
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD0050 mov eax, dword ptr fs:[00000030h]	8_2_01AD0050
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h]	8_2_01AE4BAD
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h]	8_2_01AE4BAD
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h]	8_2_01AE4BAD
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B85BA5 mov eax, dword ptr fs:[00000030h]	8_2_01B85BA5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC1B8F mov eax, dword ptr fs:[00000030h]	8_2_01AC1B8F
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC1B8F mov eax, dword ptr fs:[00000030h]	8_2_01AC1B8F
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6D380 mov ecx, dword ptr fs:[00000030h]	8_2_01B6D380
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2397 mov eax, dword ptr fs:[00000030h]	8_2_01AE2397
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7138A mov eax, dword ptr fs:[00000030h]	8_2_01B7138A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEB390 mov eax, dword ptr fs:[00000030h]	8_2_01AEB390
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADDBE9 mov eax, dword ptr fs:[00000030h]	8_2_01ADDBE9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]	8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]	8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]	8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]	8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]	8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]	8_2_01AE03E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B353CA mov eax, dword ptr fs:[00000030h]	8_2_01B353CA
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B353CA mov eax, dword ptr fs:[00000030h]	8_2_01B353CA
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7131B mov eax, dword ptr fs:[00000030h]	8_2_01B7131B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABDB60 mov ecx, dword ptr fs:[00000030h]	8_2_01ABDB60
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE3B7A mov eax, dword ptr fs:[00000030h]	8_2_01AE3B7A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE3B7A mov eax, dword ptr fs:[00000030h]	8_2_01AE3B7A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88B58 mov eax, dword ptr fs:[00000030h]	8_2_01B88B58
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABDB40 mov eax, dword ptr fs:[00000030h]	8_2_01ABDB40
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABF358 mov eax, dword ptr fs:[00000030h]	8_2_01ABF358
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]	8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]	8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]	8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]	8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]	8_2_01AB52A5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACAAB0 mov eax, dword ptr fs:[00000030h]	8_2_01ACAAB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACAAB0 mov eax, dword ptr fs:[00000030h]	8_2_01ACAAB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEFAB0 mov eax, dword ptr fs:[00000030h]	8_2_01AEFAB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AED294 mov eax, dword ptr fs:[00000030h]	8_2_01AED294
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AED294 mov eax, dword ptr fs:[00000030h]	8_2_01AED294
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2AE4 mov eax, dword ptr fs:[00000030h]	8_2_01AE2AE4
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2ACB mov eax, dword ptr fs:[00000030h]	8_2_01AE2ACB
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF4A2C mov eax, dword ptr fs:[00000030h]	8_2_01AF4A2C
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF4A2C mov eax, dword ptr fs:[00000030h]	8_2_01AF4A2C
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AA16 mov eax, dword ptr fs:[00000030h]	8_2_01B7AA16
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AA16 mov eax, dword ptr fs:[00000030h]	8_2_01B7AA16
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC8A0A mov eax, dword ptr fs:[00000030h]	8_2_01AC8A0A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD3A1C mov eax, dword ptr fs:[00000030h]	8_2_01AD3A1C
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h]	8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov ecx, dword ptr fs:[00000030h]	8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h]	8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h]	8_2_01AB5210
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABAA16 mov eax, dword ptr fs:[00000030h]	8_2_01ABAA16
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABAA16 mov eax, dword ptr fs:[00000030h]	8_2_01ABAA16
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF927A mov eax, dword ptr fs:[00000030h]	8_2_01AF927A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6B260 mov eax, dword ptr fs:[00000030h]	8_2_01B6B260
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6B260 mov eax, dword ptr fs:[00000030h]	8_2_01B6B260
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88A62 mov eax, dword ptr fs:[00000030h]	8_2_01B88A62
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7EA55 mov eax, dword ptr fs:[00000030h]	8_2_01B7EA55
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B44257 mov eax, dword ptr fs:[00000030h]	8_2_01B44257
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]	8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]	8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]	8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]	8_2_01AB9240
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE35A1 mov eax, dword ptr fs:[00000030h]	8_2_01AE35A1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B805AC mov eax, dword ptr fs:[00000030h]	8_2_01B805AC
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B805AC mov eax, dword ptr fs:[00000030h]	8_2_01B805AC
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h]	8_2_01AE1DB5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h]	8_2_01AE1DB5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h]	8_2_01AE1DB5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]	8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]	8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]	8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]	8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]	8_2_01AB2D8A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]	8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]	8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]	8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]	8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEFD9B mov eax, dword ptr fs:[00000030h]	8_2_01AEFD9B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEFD9B mov eax, dword ptr fs:[00000030h]	8_2_01AEFD9B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B68DF1 mov eax, dword ptr fs:[00000030h]	8_2_01B68DF1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACD5E0 mov eax, dword ptr fs:[00000030h]	8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACD5E0 mov eax, dword ptr fs:[00000030h]	8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]	8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]	8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]	8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]	8_2_01B7FDE2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]	8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]	8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]	8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov ecx, dword ptr fs:[00000030h]	8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]	8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]	8_2_01B36DC9
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B3A537 mov eax, dword ptr fs:[00000030h]	8_2_01B3A537
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88D34 mov eax, dword ptr fs:[00000030h]	8_2_01B88D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7E539 mov eax, dword ptr fs:[00000030h]	8_2_01B7E539
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h]	8_2_01AE4D3B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h]	8_2_01AE4D3B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h]	8_2_01AE4D3B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]	8_2_01AC3D34
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABAD30 mov eax, dword ptr fs:[00000030h]	8_2_01ABAD30
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADC577 mov eax, dword ptr fs:[00000030h]	8_2_01ADC577
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADC577 mov eax, dword ptr fs:[00000030h]	8_2_01ADC577
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF3D43 mov eax, dword ptr fs:[00000030h]	8_2_01AF3D43
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B33540 mov eax, dword ptr fs:[00000030h]	8_2_01B33540
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD7D50 mov eax, dword ptr fs:[00000030h]	8_2_01AD7D50
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC849B mov eax, dword ptr fs:[00000030h]	8_2_01AC849B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h]	8_2_01B36CF0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h]	8_2_01B36CF0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h]	8_2_01B36CF0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B714FB mov eax, dword ptr fs:[00000030h]	8_2_01B714FB
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88CD6 mov eax, dword ptr fs:[00000030h]	8_2_01B88CD6
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEBC2C mov eax, dword ptr fs:[00000030h]	8_2_01AEBC2C
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]	8_2_01B71C06
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h]	8_2_01B8740D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h]	8_2_01B8740D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h]	8_2_01B8740D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]	8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]	8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]	8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]	8_2_01B36C0A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD746D mov eax, dword ptr fs:[00000030h]	8_2_01AD746D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4C450 mov eax, dword ptr fs:[00000030h]	8_2_01B4C450
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4C450 mov eax, dword ptr fs:[00000030h]	8_2_01B4C450
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA44B mov eax, dword ptr fs:[00000030h]	8_2_01AEA44B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h]	8_2_01B37794
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h]	8_2_01B37794
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h]	8_2_01B37794
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC8794 mov eax, dword ptr fs:[00000030h]	8_2_01AC8794
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF37F5 mov eax, dword ptr fs:[00000030h]	8_2_01AF37F5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB4F2E mov eax, dword ptr fs:[00000030h]	8_2_01AB4F2E
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB4F2E mov eax, dword ptr fs:[00000030h]	8_2_01AB4F2E
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEE730 mov eax, dword ptr fs:[00000030h]	8_2_01AEE730
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA70E mov eax, dword ptr fs:[00000030h]	8_2_01AEA70E
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA70E mov eax, dword ptr fs:[00000030h]	8_2_01AEA70E
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4FF10 mov eax, dword ptr fs:[00000030h]	8_2_01B4FF10
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4FF10 mov eax, dword ptr fs:[00000030h]	8_2_01B4FF10
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8070D mov eax, dword ptr fs:[00000030h]	8_2_01B8070D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8070D mov eax, dword ptr fs:[00000030h]	8_2_01B8070D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADF716 mov eax, dword ptr fs:[00000030h]	8_2_01ADF716
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACFF60 mov eax, dword ptr fs:[00000030h]	8_2_01ACFF60
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88F6A mov eax, dword ptr fs:[00000030h]	8_2_01B88F6A
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACEF40 mov eax, dword ptr fs:[00000030h]	8_2_01ACEF40
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B346A7 mov eax, dword ptr fs:[00000030h]	8_2_01B346A7
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h]	8_2_01B80EA5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h]	8_2_01B80EA5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h]	8_2_01B80EA5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4FE87 mov eax, dword ptr fs:[00000030h]	8_2_01B4FE87
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE16E0 mov ecx, dword ptr fs:[00000030h]	8_2_01AE16E0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC76E2 mov eax, dword ptr fs:[00000030h]	8_2_01AC76E2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE36CC mov eax, dword ptr fs:[00000030h]	8_2_01AE36CC
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF8EC7 mov eax, dword ptr fs:[00000030h]	8_2_01AF8EC7
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88ED6 mov eax, dword ptr fs:[00000030h]	8_2_01B88ED6
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6FEC0 mov eax, dword ptr fs:[00000030h]	8_2_01B6FEC0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6FE3F mov eax, dword ptr fs:[00000030h]	8_2_01B6FE3F
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABE620 mov eax, dword ptr fs:[00000030h]	8_2_01ABE620
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h]	8_2_01ABC600
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h]	8_2_01ABC600
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h]	8_2_01ABC600
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE8E00 mov eax, dword ptr fs:[00000030h]	8_2_01AE8E00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA61C mov eax, dword ptr fs:[00000030h]	8_2_01AEA61C
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA61C mov eax, dword ptr fs:[00000030h]	8_2_01AEA61C
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71608 mov eax, dword ptr fs:[00000030h]	8_2_01B71608
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC766D mov eax, dword ptr fs:[00000030h]	8_2_01AC766D
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]	8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]	8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]	8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]	8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]	8_2_01ADAE73
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]	8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]	8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]	8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]	8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]	8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]	8_2_01AC7E41
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AE44 mov eax, dword ptr fs:[00000030h]	8_2_01B7AE44
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AE44 mov eax, dword ptr fs:[00000030h]	8_2_01B7AE44
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484849B mov eax, dword ptr fs:[00000030h]	19_2_0484849B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908CD6 mov eax, dword ptr fs:[00000030h]	19_2_04908CD6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F14FB mov eax, dword ptr fs:[00000030h]	19_2_048F14FB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h]	19_2_048B6CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h]	19_2_048B6CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h]	19_2_048B6CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]	19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]	19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]	19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]	19_2_048B6C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]	19_2_048F1C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h]	19_2_0490740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h]	19_2_0490740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h]	19_2_0490740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486BC2C mov eax, dword ptr fs:[00000030h]	19_2_0486BC2C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A44B mov eax, dword ptr fs:[00000030h]	19_2_0486A44B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CC450 mov eax, dword ptr fs:[00000030h]	19_2_048CC450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CC450 mov eax, dword ptr fs:[00000030h]	19_2_048CC450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485746D mov eax, dword ptr fs:[00000030h]	19_2_0485746D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]	19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]	19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]	19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]	19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]	19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]	19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]	19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]	19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]	19_2_04832D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486FD9B mov eax, dword ptr fs:[00000030h]	19_2_0486FD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486FD9B mov eax, dword ptr fs:[00000030h]	19_2_0486FD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048635A1 mov eax, dword ptr fs:[00000030h]	19_2_048635A1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h]	19_2_04861DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h]	19_2_04861DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h]	19_2_04861DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049005AC mov eax, dword ptr fs:[00000030h]	19_2_049005AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049005AC mov eax, dword ptr fs:[00000030h]	19_2_049005AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov ecx, dword ptr fs:[00000030h]	19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]	19_2_048B6DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]	19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]	19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]	19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]	19_2_048FFDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048E8DF1 mov eax, dword ptr fs:[00000030h]	19_2_048E8DF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908D34 mov eax, dword ptr fs:[00000030h]	19_2_04908D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]	19_2_04843D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483AD30 mov eax, dword ptr fs:[00000030h]	19_2_0483AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FE539 mov eax, dword ptr fs:[00000030h]	19_2_048FE539
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048BA537 mov eax, dword ptr fs:[00000030h]	19_2_048BA537
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h]	19_2_04864D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h]	19_2_04864D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h]	19_2_04864D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04873D43 mov eax, dword ptr fs:[00000030h]	19_2_04873D43
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B3540 mov eax, dword ptr fs:[00000030h]	19_2_048B3540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048E3D40 mov eax, dword ptr fs:[00000030h]	19_2_048E3D40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04857D50 mov eax, dword ptr fs:[00000030h]	19_2_04857D50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485C577 mov eax, dword ptr fs:[00000030h]	19_2_0485C577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485C577 mov eax, dword ptr fs:[00000030h]	19_2_0485C577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CFE87 mov eax, dword ptr fs:[00000030h]	19_2_048CFE87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B46A7 mov eax, dword ptr fs:[00000030h]	19_2_048B46A7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h]	19_2_04900EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h]	19_2_04900EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h]	19_2_04900EA5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04878EC7 mov eax, dword ptr fs:[00000030h]	19_2_04878EC7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908ED6 mov eax, dword ptr fs:[00000030h]	19_2_04908ED6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048636CC mov eax, dword ptr fs:[00000030h]	19_2_048636CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048EFEC0 mov eax, dword ptr fs:[00000030h]	19_2_048EFEC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048616E0 mov ecx, dword ptr fs:[00000030h]	19_2_048616E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048476E2 mov eax, dword ptr fs:[00000030h]	19_2_048476E2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h]	19_2_0483C600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h]	19_2_0483C600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h]	19_2_0483C600
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04868E00 mov eax, dword ptr fs:[00000030h]	19_2_04868E00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1608 mov eax, dword ptr fs:[00000030h]	19_2_048F1608
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A61C mov eax, dword ptr fs:[00000030h]	19_2_0486A61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A61C mov eax, dword ptr fs:[00000030h]	19_2_0486A61C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483E620 mov eax, dword ptr fs:[00000030h]	19_2_0483E620
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048EFE3F mov eax, dword ptr fs:[00000030h]	19_2_048EFE3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]	19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]	19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]	19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]	19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]	19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]	19_2_04847E41
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FAE44 mov eax, dword ptr fs:[00000030h]	19_2_048FAE44
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FAE44 mov eax, dword ptr fs:[00000030h]	19_2_048FAE44
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484766D mov eax, dword ptr fs:[00000030h]	19_2_0484766D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]	19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]	19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]	19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]	19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]	19_2_0485AE73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04848794 mov eax, dword ptr fs:[00000030h]	19_2_04848794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h]	19_2_048B7794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h]	19_2_048B7794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h]	19_2_048B7794
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048737F5 mov eax, dword ptr fs:[00000030h]	19_2_048737F5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A70E mov eax, dword ptr fs:[00000030h]	19_2_0486A70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A70E mov eax, dword ptr fs:[00000030h]	19_2_0486A70E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485F716 mov eax, dword ptr fs:[00000030h]	19_2_0485F716
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CFF10 mov eax, dword ptr fs:[00000030h]	19_2_048CFF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CFF10 mov eax, dword ptr fs:[00000030h]	19_2_048CFF10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490070D mov eax, dword ptr fs:[00000030h]	19_2_0490070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490070D mov eax, dword ptr fs:[00000030h]	19_2_0490070D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04834F2E mov eax, dword ptr fs:[00000030h]	19_2_04834F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04834F2E mov eax, dword ptr fs:[00000030h]	19_2_04834F2E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486E730 mov eax, dword ptr fs:[00000030h]	19_2_0486E730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484EF40 mov eax, dword ptr fs:[00000030h]	19_2_0484EF40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484FF60 mov eax, dword ptr fs:[00000030h]	19_2_0484FF60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908F6A mov eax, dword ptr fs:[00000030h]	19_2_04908F6A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839080 mov eax, dword ptr fs:[00000030h]	19_2_04839080
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B3884 mov eax, dword ptr fs:[00000030h]	19_2_048B3884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B3884 mov eax, dword ptr fs:[00000030h]	19_2_048B3884
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]	19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048790AF mov eax, dword ptr fs:[00000030h]	19_2_048790AF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486F0BF mov ecx, dword ptr fs:[00000030h]	19_2_0486F0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486F0BF mov eax, dword ptr fs:[00000030h]	19_2_0486F0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486F0BF mov eax, dword ptr fs:[00000030h]	19_2_0486F0BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov ecx, dword ptr fs:[00000030h]	19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]	19_2_048CB8D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h]	19_2_048340E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h]	19_2_048340E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h]	19_2_048340E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048358EC mov eax, dword ptr fs:[00000030h]	19_2_048358EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04904015 mov eax, dword ptr fs:[00000030h]	19_2_04904015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04904015 mov eax, dword ptr fs:[00000030h]	19_2_04904015
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h]	19_2_048B7016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h]	19_2_048B7016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h]	19_2_048B7016
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]	19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]	19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]	19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]	19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]	19_2_0486002D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]	19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]	19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]	19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]	19_2_0484B02A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04850050 mov eax, dword ptr fs:[00000030h]	19_2_04850050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04850050 mov eax, dword ptr fs:[00000030h]	19_2_04850050
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04901074 mov eax, dword ptr fs:[00000030h]	19_2_04901074
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F2073 mov eax, dword ptr fs:[00000030h]	19_2_048F2073
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A185 mov eax, dword ptr fs:[00000030h]	19_2_0486A185
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485C182 mov eax, dword ptr fs:[00000030h]	19_2_0485C182
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862990 mov eax, dword ptr fs:[00000030h]	19_2_04862990
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048661A0 mov eax, dword ptr fs:[00000030h]	19_2_048661A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048661A0 mov eax, dword ptr fs:[00000030h]	19_2_048661A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]	19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]	19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]	19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]	19_2_048F49A4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B69A6 mov eax, dword ptr fs:[00000030h]	19_2_048B69A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]	19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]	19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]	19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]	19_2_048B51BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0483B1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0483B1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0483B1E1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048C41E8 mov eax, dword ptr fs:[00000030h]	19_2_048C41E8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h]	19_2_04839100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h]	19_2_04839100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h]	19_2_04839100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]	19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]	19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]	19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]	19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov ecx, dword ptr fs:[00000030h]	19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486513A mov eax, dword ptr fs:[00000030h]	19_2_0486513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486513A mov eax, dword ptr fs:[00000030h]	19_2_0486513A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485B944 mov eax, dword ptr fs:[00000030h]	19_2_0485B944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485B944 mov eax, dword ptr fs:[00000030h]	19_2_0485B944
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C962 mov eax, dword ptr fs:[00000030h]	19_2_0483C962
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B171 mov eax, dword ptr fs:[00000030h]	19_2_0483B171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B171 mov eax, dword ptr fs:[00000030h]	19_2_0483B171
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486D294 mov eax, dword ptr fs:[00000030h]	19_2_0486D294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486D294 mov eax, dword ptr fs:[00000030h]	19_2_0486D294
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]	19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]	19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]	19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]	19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]	19_2_048352A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484AAB0 mov eax, dword ptr fs:[00000030h]	19_2_0484AAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484AAB0 mov eax, dword ptr fs:[00000030h]	19_2_0484AAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486FAB0 mov eax, dword ptr fs:[00000030h]	19_2_0486FAB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862ACB mov eax, dword ptr fs:[00000030h]	19_2_04862ACB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862AE4 mov eax, dword ptr fs:[00000030h]	19_2_04862AE4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04848A0A mov eax, dword ptr fs:[00000030h]	19_2_04848A0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h]	19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov ecx, dword ptr fs:[00000030h]	19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h]	19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h]	19_2_04835210
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483AA16 mov eax, dword ptr fs:[00000030h]	19_2_0483AA16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483AA16 mov eax, dword ptr fs:[00000030h]	19_2_0483AA16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04853A1C mov eax, dword ptr fs:[00000030h]	19_2_04853A1C

Source: C:\Users\user\Desktop\Packing list.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe

Code function: 8_2_01AF99A0 NtCreateSection,LdrInitializeThunk,

8_2_01AF99A0

Source: C:\Users\user\Desktop\Packing list.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Domain query: www.chillsafe.online
Source: C:\Windows\explorer.exe	Domain query: www.alshared.info

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Packing list.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 350000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Packing list.exe

Memory written: C:\Users\user\Desktop\Packing list.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Packing list.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Packing list.exe	Thread register set: target process: 684			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 684			Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp			Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Users\user\Desktop\Packing list.exe {path}			Jump to behavior

Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475161545.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.486817000.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528908599.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.505932724.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.505932724.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Users\user\Desktop\Packing list.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 Input Capture	121 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Packing list.exe	44%	Virustotal		Browse
Packing list.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.0.Packing list.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.zhongyicts.com.cnx	0%	Avira URL Cloud	safe
http://www.carterandcone.comRes	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.carterandcone.coma-dY	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn$	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comC	0%	Avira URL Cloud	safe
www.pahunt.org/umhl/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rewaard.club	185.192.114.83	true	false	unknown
www.chillsafe.online	unknown	unknown	true	unknown
www.rewaard.club	unknown	unknown	true	unknown
www.alshared.info	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.pahunt.org/umhl/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cnx	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comRes	Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comlic	Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coma-dY	Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	Packing list.exe, 00000000.00000003.417047585.0000000006105000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417011575.000000000610B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn$	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comC	Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680524
Start date and time: 08/08/202218:32:06	2022-08-08 18:32:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Packing list.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/3@3/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 59.4% (good quality ratio 51.7%) Quality average: 71.6% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 94% Number of executed functions: 89 Number of non-executed functions: 173
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:33:20	API Interceptor	1x Sleep call for process: Packing list.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Packing list.exe.log

Download File

Process:	C:\Users\user\Desktop\Packing list.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Download File

Process:	C:\Users\user\Desktop\Packing list.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.17949713007774
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKButn:cbhC7ZlNQF/rydbz9I3YODOLNdq3W
MD5:	6527089BACCDC5417F25E75F643B1384
SHA1:	5DC2EEC38E431AAD51106626913E4AD0D74D241F
SHA-256:	661A8DEBE0FB8BCB91202D6806C30BE748E69709EC0C57FDC4D992CB855687D4
SHA-512:	4D238245D556825E9CAE02EE2712C82CEB9819EC4F062C437CB1BB8349AF1AF895D921E73D91CBDDEC66047852DA4C87B83F06C0418EFA77FC28D6354758C879
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Download File

Process:	C:\Users\user\Desktop\Packing list.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	866816
Entropy (8bit):	7.774266041426872
Encrypted:	false
SSDEEP:	12288:Py5/O6uz02iN2SeIo4D6KftU7+ZbWLlbjskXIdpcum3FO9m/8UgxBzifEBJw87o:PIWE18SeWOKft2lJbPQcnM68UmXo
MD5:	C7A4E2993E53B71353110DEBF193F711
SHA1:	C5CC5B995685CF3474D0998DC8F8BE0080635F2C
SHA-256:	2698F26BC94C6EE64DD216F13C805F6A2EE512C47F1A23F026DD606ADC42FCB9
SHA-512:	B657DCF76D2BBEFB933738E61948886DBA367AAF8DF226175114C8261580C2AA6D821E93F1F9FF56740825B683403A5726681202B535E7D010A240972A361819
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P..0...........N... ...`....@.. ....................................@.................................hN..O....`............................................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................N......H.......8~..XH...........................................................( ...&..(!.....s"........s#........s$........s%........s&...........0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0...........~....o....+...0...........~....o+....+...0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+...0...........~.....+.."........0..&........(....r5..p~....o0...(1.....t$....+..*...0..&........(....rC..p~....o0...(1.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.774266041426872
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Packing list.exe
File size:	866816
MD5:	c7a4e2993e53b71353110debf193f711
SHA1:	c5cc5b995685cf3474d0998dc8f8be0080635f2c
SHA256:	2698f26bc94c6ee64dd216f13c805f6a2ee512c47f1a23f026dd606adc42fcb9
SHA512:	b657dcf76d2bbefb933738e61948886dba367aaf8df226175114c8261580c2aa6d821e93f1f9ff56740825b683403a5726681202b535e7d010a240972a361819
SSDEEP:	12288:Py5/O6uz02iN2SeIo4D6KftU7+ZbWLlbjskXIdpcum3FO9m/8UgxBzifEBJw87o:PIWE18SeWOKft2lJbPQcnM68UmXo
TLSH:	0C05F1F09AF9B658F035637636D0A03C6BF3EA1BC908E1399D67934D9316EC145E1A23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P..0...........N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d4eba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F118C3 [Mon Aug 8 14:08:03 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd4e68	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd6000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd2ec0	0xd3000	False	0.8657967083827014	data	7.781035493181961	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd6000	0x5b4	0x600	False	0.427734375	data	4.099660684112187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd6090	0x324	data
RT_MANIFEST	0xd63c4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 18:34:59.524580002 CEST	58748	53	192.168.2.5	8.8.8.8
Aug 8, 2022 18:34:59.548988104 CEST	53	58748	8.8.8.8	192.168.2.5
Aug 8, 2022 18:35:09.584357977 CEST	62972	53	192.168.2.5	8.8.8.8
Aug 8, 2022 18:35:09.629686117 CEST	53	62972	8.8.8.8	192.168.2.5
Aug 8, 2022 18:35:19.659698009 CEST	64559	53	192.168.2.5	8.8.8.8
Aug 8, 2022 18:35:19.717200041 CEST	53	64559	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 18:34:59.524580002 CEST	192.168.2.5	8.8.8.8	0x5c60	Standard query (0)	www.chillsafe.online	A (IP address)	IN (0x0001)
Aug 8, 2022 18:35:09.584357977 CEST	192.168.2.5	8.8.8.8	0xb990	Standard query (0)	www.alshared.info	A (IP address)	IN (0x0001)
Aug 8, 2022 18:35:19.659698009 CEST	192.168.2.5	8.8.8.8	0x88e0	Standard query (0)	www.rewaard.club	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 18:34:59.548988104 CEST	8.8.8.8	192.168.2.5	0x5c60	No error (0)	www.chillsafe.online	tropical-basin-s8sbx7dp132gwikfbpmorir6.herokudns.com		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 18:35:09.629686117 CEST	8.8.8.8	192.168.2.5	0xb990	Name error (3)	www.alshared.info	none	none	A (IP address)	IN (0x0001)
Aug 8, 2022 18:35:19.717200041 CEST	8.8.8.8	192.168.2.5	0x88e0	No error (0)	www.rewaard.club	rewaard.club		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 18:35:19.717200041 CEST	8.8.8.8	192.168.2.5	0x88e0	No error (0)	rewaard.club		185.192.114.83	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Packing list.exePID: 6064, Parent PID: 5596

General

Target ID:	0
Start time:	18:33:09
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Packing list.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Packing list.exe"
Imagebase:	0xe70000
File size:	866816 bytes
MD5 hash:	C7A4E2993E53B71353110DEBF193F711
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exePID: 6020, Parent PID: 6064

General

Target ID:	6
Start time:	18:33:28
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Imagebase:	0x1250000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 5788, Parent PID: 6020

General

Target ID:	7
Start time:	18:33:28
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Packing list.exePID: 1320, Parent PID: 6064

General

Target ID:	8
Start time:	18:33:29
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Packing list.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xff0000
File size:	866816 bytes
MD5 hash:	C7A4E2993E53B71353110DEBF193F711
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exePID: 684, Parent PID: 1320

General

Target ID:	10
Start time:	18:33:33
Start date:	08/08/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff74fc70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: raserver.exePID: 3856, Parent PID: 684

General

Target ID:	19
Start time:	18:34:15
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0x350000
File size:	108544 bytes
MD5 hash:	2AADF65E395BFBD0D9B71D7279C8B5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate