Edit tour

Windows Analysis Report
Packing list.exe

Overview

General Information

Sample Name:	Packing list.exe
Analysis ID:	680524
MD5:	c7a4e2993e53b71353110debf193f711
SHA1:	c5cc5b995685cf3474d0998dc8f8be0080635f2c
SHA256:	2698f26bc94c6ee64dd216f13c805f6a2ee512c47f1a23f026dd606adc42fcb9
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Deletes itself after installation

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Packing list.exe (PID: 6064 cmdline: "C:\Users\user\Desktop\Packing list.exe" MD5: C7A4E2993E53B71353110DEBF193F711)

schtasks.exe (PID: 6020 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Packing list.exe (PID: 1320 cmdline: {path} MD5: C7A4E2993E53B71353110DEBF193F711)

explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 3856 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.pahunt.org/umhl/"], "decoy": ["mB8gvYWKNnd+6kcRK8M=", "7zn0DtefQVZc3UcRK8M=", "qj9AgFfem/K5", "7W+k2buMQnZxzkqW8v2wDA==", "BXmNsJSLLt9UZYuO3C2l", "PHnylup3Ec5YTj8qPV+8", "5wuv0g7RYfoLhg==", "qy3Wf2Qv9yamjg==", "EWjULZ91La2UEjQ=", "aN2KCV/tiOP2gyVROJbK2Fg=", "a9tVEduGJF1q4GcHnr2dBg==", "111flmRlGlRY0vPmzRR63KW1wyqR6Q==", "f7+r8NeWp+WZYf6D8v2wDA==", "LGG2X0VJ1rSPHL0Yd/60", "A21qVr1P5aZSS/pCOZbK2Fg=", "W7uNpIBT4NZ+WoHtRGa+", "YpWyeGx/Qx22izPhZenb5O65", "xPm54b/IeWRI4IYqPV+8", "gtxoMfmYZ0HgmQ==", "LMlLAuXndyCmnEXPMpdwBwxB0g==", "siWU81PxsC+0oEWT8v2wDA==", "ks2JuqR+Kkb324cqPV+8", "7CHy2pNs9fzthn43", "uTnZelYp9yamjg==", "FYR8ZtIuEACu", "QV+IJwsM0kTK+2oVgQ==", "I60qeTRmGDxa4UcRK8M=", "bI7FSA8i5lsh0IMkgw==", "fPDj0E0bvTlUwOLGFVq2", "oOS6vYWSNl3Gn4c1", "MMijCmIt6ShS2/7z4Dvb5O65", "hMS597ZZ/MZLKR7nZ54/kNuz", "K2nSnIFmKWqgHFcyv/imbncPSqo=", "4Xb7v/PEdz7Y+2oVgQ==", "Vt2QCbF0aJ4=", "m9VmkEwbxnIa/p3YBFc98Gux", "Q7lAGwwBhTLthn43", "DlGQCZkaysdZJh8yWdKN6m+x", "CF0uM/wT2M7JHzQqPV+8", "1wevt3hI3tPaR2ozyQe1it7fHPg/eczb", "qxcRVQuWHw1MKdA4", "dMADqcZ+K4I=", "H3ZFO+VrJQ6lnpmPa5bK2Fg=", "I2NcqXM1zEPK+2oVgQ==", "XoQXQA0PxDRI+2oVgQ==", "9VDJi2RwODvp3Hz5d+nb5O65", "H4PEOo8dwjlj9KRE8v2wDA==", "fq1yc81rHThNtiRPOJbK2Fg=", "90u1gKqiSJc=", "HnInjdeMNq2UEjQ=", "3O7PDrhF5tWQl8Iwiw==", "AXuXhUUotKqgEHuvpP/GHaUbXbTp8o5Lpg==", "edtWHfXmei7thn43", "1vdgIc5iAGSI60cRK8M=", "sj5/NqAuEACu", "dpQOonl8Rr7LGTZGYZX9RTsVSrM=", "rt0X7dDlpHsQFcJC8v2wDA==", "+nf/2b/GeGL/AHBFB0erBoHNITKM4Q==", "MLMz38fRYBvGpEWX8v2wDA==", "I186c0wbqBqOlnEPXsSi6j64nGru", "CipT7MK3Xrk2U7YQJHvxBA==", "2k/ZrIpV38eJR3Au", "83OJo30uEACu", "yva3tQ7Zsm36/6Qbgtk8EOkFF2SA6Q=="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x65f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1e1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa90f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17307:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16bb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1737f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb222:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ce07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1df1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19829:$sqlite3step: 68 34 1C 7B E1 0x1995c:$sqlite3step: 68 34 1C 7B E1 0x1986b:$sqlite3text: 68 38 2A 90 C5 0x199b3:$sqlite3text: 68 38 2A 90 C5 0x19882:$sqlite3blob: 68 53 D8 7F 8C 0x199d5:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x65f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1e1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa90f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17307:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16bb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1737f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb222:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ce07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1df1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19829:$sqlite3step: 68 34 1C 7B E1 0x1995c:$sqlite3step: 68 34 1C 7B E1 0x1986b:$sqlite3text: 68 38 2A 90 C5 0x199b3:$sqlite3text: 68 38 2A 90 C5 0x19882:$sqlite3blob: 68 53 D8 7F 8C 0x199d5:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x55f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x990f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16307:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15bb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1637f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x94da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa222:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1be07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cf1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x1886b:$sqlite3text: 68 38 2A 90 C5 0x189b3:$sqlite3text: 68 38 2A 90 C5 0x18882:$sqlite3blob: 68 53 D8 7F 8C 0x189d5:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7307:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6bb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x737f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xce07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdf1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9829:$sqlite3step: 68 34 1C 7B E1 0x995c:$sqlite3step: 68 34 1C 7B E1 0x986b:$sqlite3text: 68 38 2A 90 C5 0x99b3:$sqlite3text: 68 38 2A 90 C5 0x9882:$sqlite3blob: 68 53 D8 7F 8C 0x99d5:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7307:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6bb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x737f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xce07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xdf1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x9829:$sqlite3step: 68 34 1C 7B E1 0x995c:$sqlite3step: 68 34 1C 7B E1 0x986b:$sqlite3text: 68 38 2A 90 C5 0x99b3:$sqlite3text: 68 38 2A 90 C5 0x9882:$sqlite3blob: 68 53 D8 7F 8C 0x99d5:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x126811:$a1: 3C 30 50 4F 53 54 74 09 40 0x152031:$a1: 3C 30 50 4F 53 54 74 09 40 0x13e3d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x169bf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x12ab2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15634f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x137527:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x162d47:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x137325:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x162b45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x136dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1625f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x137427:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x162c47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13759f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x162dbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12a6fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x155f1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x16180c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12b442:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x156c62:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x13d027:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x168847:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x13e13a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 0x16995a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x139a49:$sqlite3step: 68 34 1C 7B E1 0x139b7c:$sqlite3step: 68 34 1C 7B E1 0x165269:$sqlite3step: 68 34 1C 7B E1 0x16539c:$sqlite3step: 68 34 1C 7B E1 0x139a8b:$sqlite3text: 68 38 2A 90 C5 0x139bd3:$sqlite3text: 68 38 2A 90 C5 0x1652ab:$sqlite3text: 68 38 2A 90 C5 0x1653f3:$sqlite3text: 68 38 2A 90 C5 0x139aa2:$sqlite3blob: 68 53 D8 7F 8C 0x139bf5:$sqlite3blob: 68 53 D8 7F 8C 0x1652c2:$sqlite3blob: 68 53 D8 7F 8C 0x165415:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x65f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1e1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa90f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17307:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x16bb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1737f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb222:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ce07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1df1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19829:$sqlite3step: 68 34 1C 7B E1 0x1995c:$sqlite3step: 68 34 1C 7B E1 0x1986b:$sqlite3text: 68 38 2A 90 C5 0x199b3:$sqlite3text: 68 38 2A 90 C5 0x19882:$sqlite3blob: 68 53 D8 7F 8C 0x199d5:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Packing list.exe PID: 6064	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x6e19a:$s5: AEAAAAMAAQqVT 0x6e10b:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: Packing list.exe PID: 6064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Packing list.exe PID: 1320	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd56:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: raserver.exe PID: 3856	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x969:$a1: 3C 30 50 4F 53 54 74 09 40 0x1941:$a1: 3C 30 50 4F 53 54 74 09 40 0x16511e:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.0.Packing list.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
8.0.Packing list.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x57f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d3b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16507:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
8.0.Packing list.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16305:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15db1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16407:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1657f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x96da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14fcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa422:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c007:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d11a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
8.0.Packing list.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18a29:$sqlite3step: 68 34 1C 7B E1 0x18b5c:$sqlite3step: 68 34 1C 7B E1 0x18a6b:$sqlite3text: 68 38 2A 90 C5 0x18bb3:$sqlite3text: 68 38 2A 90 C5 0x18a82:$sqlite3blob: 68 53 D8 7F 8C 0x18bd5:$sqlite3blob: 68 53 D8 7F 8C
0.2.Packing list.exe.33f638c.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0xcdec:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0xce30:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xce78:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xd104:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0xd168:$s2: Set-MpPreference -DisableArchiveScanning $true 0xd1c0:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0xd218:$s4: Set-MpPreference -DisableScriptScanning $true 0xd264:$s5: Set-MpPreference -SubmitSamplesConsent 2 0xd2a4:$s6: Set-MpPreference -MAPSReporting 0 0xd2f0:$s7: Set-MpPreference -HighThreatDefaultAction 6 0xd348:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0xd398:$s9: Set-MpPreference -LowThreatDefaultAction 6 0xd3e8:$s10: Set-MpPreference -SevereThreatDefaultAction 6

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Packing list.exe

Virustotal: Detection: 43%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.pahunt.org/umhl/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: Packing list.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Joe Sandbox ML: detected

Source: 8.0.Packing list.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pahunt.org/umhl/"], "decoy": ["mB8gvYWKNnd+6kcRK8M=", "7zn0DtefQVZc3UcRK8M=", "qj9AgFfem/K5", "7W+k2buMQnZxzkqW8v2wDA==", "BXmNsJSLLt9UZYuO3C2l", "PHnylup3Ec5YTj8qPV+8", "5wuv0g7RYfoLhg==", "qy3Wf2Qv9yamjg==", "EWjULZ91La2UEjQ=", "aN2KCV/tiOP2gyVROJbK2Fg=", "a9tVEduGJF1q4GcHnr2dBg==", "111flmRlGlRY0vPmzRR63KW1wyqR6Q==", "f7+r8NeWp+WZYf6D8v2wDA==", "LGG2X0VJ1rSPHL0Yd/60", "A21qVr1P5aZSS/pCOZbK2Fg=", "W7uNpIBT4NZ+WoHtRGa+", "YpWyeGx/Qx22izPhZenb5O65", "xPm54b/IeWRI4IYqPV+8", "gtxoMfmYZ0HgmQ==", "LMlLAuXndyCmnEXPMpdwBwxB0g==", "siWU81PxsC+0oEWT8v2wDA==", "ks2JuqR+Kkb324cqPV+8", "7CHy2pNs9fzthn43", "uTnZelYp9yamjg==", "FYR8ZtIuEACu", "QV+IJwsM0kTK+2oVgQ==", "I60qeTRmGDxa4UcRK8M=", "bI7FSA8i5lsh0IMkgw==", "fPDj0E0bvTlUwOLGFVq2", "oOS6vYWSNl3Gn4c1", "MMijCmIt6ShS2/7z4Dvb5O65", "hMS597ZZ/MZLKR7nZ54/kNuz", "K2nSnIFmKWqgHFcyv/imbncPSqo=", "4Xb7v/PEdz7Y+2oVgQ==", "Vt2QCbF0aJ4=", "m9VmkEwbxnIa/p3YBFc98Gux", "Q7lAGwwBhTLthn43", "DlGQCZkaysdZJh8yWdKN6m+x", "CF0uM/wT2M7JHzQqPV+8", "1wevt3hI3tPaR2ozyQe1it7fHPg/eczb", "qxcRVQuWHw1MKdA4", "dMADqcZ+K4I=", "H3ZFO+VrJQ6lnpmPa5bK2Fg=", "I2NcqXM1zEPK+2oVgQ==", "XoQXQA0PxDRI+2oVgQ==", "9VDJi2RwODvp3Hz5d+nb5O65", "H4PEOo8dwjlj9KRE8v2wDA==", "fq1yc81rHThNtiRPOJbK2Fg=", "90u1gKqiSJc=", "HnInjdeMNq2UEjQ=", "3O7PDrhF5tWQl8Iwiw==", "AXuXhUUotKqgEHuvpP/GHaUbXbTp8o5Lpg==", "edtWHfXmei7thn43", "1vdgIc5iAGSI60cRK8M=", "sj5/NqAuEACu", "dpQOonl8Rr7LGTZGYZX9RTsVSrM=", "rt0X7dDlpHsQFcJC8v2wDA==", "+nf/2b/GeGL/AHBFB0erBoHNITKM4Q==", "MLMz38fRYBvGpEWX8v2wDA==", "I186c0wbqBqOlnEPXsSi6j64nGru", "CipT7MK3Xrk2U7YQJHvxBA==", "2k/ZrIpV38eJR3Au", "83OJo30uEACu", "yva3tQ7Zsm36/6Qbgtk8EOkFF2SA6Q=="]}

Source: Packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Packing list.exe, Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.chillsafe.online
Source: C:\Windows\explorer.exe	Domain query: www.alshared.info

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.pahunt.org/umhl/

Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comRes
Source: Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coma-dY
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comC
Source: Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417011575.000000000610B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Packing list.exe, 00000000.00000003.417047585.0000000006105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn$
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnx

Source: unknown

DNS traffic detected: queries for: www.chillsafe.online

Source: Packing list.exe, 00000000.00000002.457845803.0000000001589000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Packing list.exe.33f638c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Packing list.exe PID: 1320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 3856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large strings

Source: Packing list.exe, AddCompanyForm.cs	Long String: Length: 20037
Source: jcWxLdFqdoHatB.exe.0.dr, AddCompanyForm.cs	Long String: Length: 20037
Source: 0.0.Packing list.exe.e70000.0.unpack, AddCompanyForm.cs	Long String: Length: 20037

Source: Packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Packing list.exe.33f638c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Packing list.exe PID: 6064, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: Packing list.exe PID: 1320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 3856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0339E820
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0339E810
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0339BF54
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE63F8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE2D00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4B00
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE9608
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE5550
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DED320
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE3EE0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8640
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8632
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8410
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8420
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE63D5
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DEC3E8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE6308
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DEE338
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4FB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4FA0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE4AF1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8A58
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DECA40
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8A68
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE885B
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE8868
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE95D1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE5543
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE32D8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE32E8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE7090
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DE3E08
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DEDD30
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_07DED828
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_08670040
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_08670011
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_08670040
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABF900
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B820A8
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB090
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B828EC
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71002
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEEBB0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7DBD2
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B82B28
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B822AE
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACD5E0
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B825DD
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB0D20
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B82D07
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B81D55
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC841F
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7D466
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B81FF1
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B82EF7
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD6E30
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7D616
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_004202EF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FD466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049025DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484D5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04902D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04830D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04901D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04902EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FD616
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04856E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490DFCE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04901FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049020A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049028EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490E824
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483F900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049022AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048EFA2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486EBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F03DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FDBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04902B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D8920
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEB93
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EFAA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032F02EF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032DE9E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEF76
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EFD3A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D9DA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D2D8F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D9D9D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EF4D3

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0483B150 appears 45 times
Source: C:\Users\user\Desktop\Packing list.exe	Code function: String function: 01ABB150 appears 35 times

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFB040 NtSuspendThread,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9A10 NtQuerySection,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9560 NtWriteFile,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9760 NtOpenProcess,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AFA770 NtOpenThread,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF96D0 NtCreateKey,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF9650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048795D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048796D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048795F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879560 NtWriteFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048797A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879760 NtOpenProcess,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487A770 NtOpenThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048798A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048798F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048799D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A10 NtQuerySection,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879A20 NtResumeThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0487A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04879B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB950 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB820 NtReadFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB870 NtDeleteFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB8A0 NtClose,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB770 NtCreateFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB86A NtDeleteFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB89A NtClose,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EB76A NtCreateFile,

Source: Packing list.exe, 00000000.00000002.457845803.0000000001589000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.466545787.0000000004551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.466545787.0000000004551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Packing list.exe
Source: Packing list.exe, 00000000.00000002.472987115.0000000007CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000000.00000000.410358073.0000000000F46000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe
Source: Packing list.exe, 00000000.00000003.446205184.0000000003A08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Packing list.exe
Source: Packing list.exe, 00000008.00000003.458924092.0000000001A10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000002.566860104.0000000001BAF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000003.456310804.000000000186E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Packing list.exe
Source: Packing list.exe, 00000008.00000002.562266975.00000000015B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs Packing list.exe
Source: Packing list.exe	Binary or memory string: OriginalFilenameG702.exe6 vs Packing list.exe

Source: Packing list.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jcWxLdFqdoHatB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Packing list.exe

Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\Packing list.exe

File read: C:\Users\user\Desktop\Packing list.exe

Jump to behavior

Source: Packing list.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Packing list.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Packing list.exe "C:\Users\user\Desktop\Packing list.exe"
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Users\user\Desktop\Packing list.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Users\user\Desktop\Packing list.exe {path}

Source: C:\Users\user\Desktop\Packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Packing list.exe

File created: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@3/0

Source: C:\Users\user\Desktop\Packing list.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Packing list.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Packing list.exe	Mutant created: \Sessions\1\BaseNamedObjects\JcKpFLwEHGkRAE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01

Source: Packing list.exe	String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: Packing list.exe	String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Packing list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Packing list.exe, Packing list.exe, 00000008.00000002.562708462.0000000001A90000.00000040.00000800.00020000.00000000.sdmp, Packing list.exe, 00000008.00000003.458129700.00000000018F1000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000013.00000002.682832403.0000000004810000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.560808608.0000000000A04000.00000004.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000002.684541829.000000000492F000.00000040.00000800.00020000.00000000.sdmp, raserver.exe, 00000013.00000003.566392906.0000000000BAF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Packing list.exe, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: jcWxLdFqdoHatB.exe.0.dr, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: 0.0.Packing list.exe.e70000.0.unpack, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 0_2_0867513D push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B0D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0488D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEB5C push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEAA5 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEAFB push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032EEAF2 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032E4126 push FFFFFF98h; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032E919F push ss; retf
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032E7F12 push ebx; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032ECD73 pushad ; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D3DD7 pushad ; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_032D3C87 push cs; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.781035493181961
Source: initial sample	Static PE information: section name: .text entropy: 7.781035493181961

Source: C:\Users\user\Desktop\Packing list.exe

File created: C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Packing list.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\raserver.exe

File deleted: c:\users\user\desktop\packing list.exe

Jump to behavior

Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Packing list.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Packing list.exe PID: 6064, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Packing list.exe, 00000000.00000002.463942931.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Packing list.exe, 00000000.00000002.463942931.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Packing list.exe TID: 6048

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Packing list.exe

Code function: 8_2_01B85BA5 rdtsc

Source: C:\Users\user\Desktop\Packing list.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Packing list.exe	API coverage: 5.4 %
Source: C:\Windows\SysWOW64\raserver.exe	API coverage: 9.3 %

Source: C:\Users\user\Desktop\Packing list.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Packing list.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.475254478.0000000006915000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.475637080.00000000069D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000A.00000000.518640024.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000A.00000000.539248413.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\Packing list.exe

Code function: 8_2_01B85BA5 rdtsc

Source: C:\Users\user\Desktop\Packing list.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Packing list.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B369A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B441E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B33884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B84015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B72073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B81074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B85BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B44257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B68DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B3A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B33540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B714FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B36C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AD746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B37794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AB4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B8070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ACEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B346A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B80EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B4FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AF8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B88ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B6FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ABC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AE8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AEA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B71608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01ADAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01AC7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Packing list.exe	Code function: 8_2_01B7AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_049005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04873D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048E3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04857D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04878EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04868E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04848794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0490070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04834F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04834F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04908F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048340E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04904015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04904015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04850050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04850050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04901074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048F49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04854120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0485B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0484AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0486FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04862AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04848A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_0483AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 19_2_04853A1C mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Packing list.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Packing list.exe

Code function: 8_2_01AF99A0 NtCreateSection,LdrInitializeThunk,

Source: C:\Users\user\Desktop\Packing list.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.chillsafe.online
Source: C:\Windows\explorer.exe	Domain query: www.alshared.info

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Packing list.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: 350000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Packing list.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Packing list.exe

Memory written: C:\Users\user\Desktop\Packing list.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Packing list.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Packing list.exe	Thread register set: target process: 684
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 684

Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Source: C:\Users\user\Desktop\Packing list.exe	Process created: C:\Users\user\Desktop\Packing list.exe {path}

Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475161545.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.486817000.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528908599.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.505932724.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: explorer.exe, 0000000A.00000000.529517602.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.463219469.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.505932724.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Users\user\Desktop\Packing list.exe VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Packing list.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\Packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.0.Packing list.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 Input Capture	121 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Packing list.exe	44%	Virustotal		Browse
Packing list.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.0.Packing list.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.zhongyicts.com.cnx	0%	Avira URL Cloud	safe
http://www.carterandcone.comRes	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.carterandcone.coma-dY	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn$	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comC	0%	Avira URL Cloud	safe
www.pahunt.org/umhl/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rewaard.club	185.192.114.83	true	false	unknown
www.chillsafe.online	unknown	unknown	true	unknown
www.rewaard.club	unknown	unknown	true	unknown
www.alshared.info	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.pahunt.org/umhl/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cnx	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comRes	Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comlic	Packing list.exe, 00000000.00000003.417883204.0000000006103000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coma-dY	Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	Packing list.exe, 00000000.00000003.417047585.0000000006105000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.424293456.0000000006102000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417011575.000000000610B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn$	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Packing list.exe, 00000000.00000003.417439081.0000000006106000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, Packing list.exe, 00000000.00000003.417613150.0000000006106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Packing list.exe, 00000000.00000002.459045143.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Packing list.exe, 00000000.00000002.471132417.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comC	Packing list.exe, 00000000.00000003.456872900.0000000006100000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680524
Start date and time: 08/08/202218:32:06	2022-08-08 18:32:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Packing list.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/3@3/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 59.4% (good quality ratio 51.7%) Quality average: 71.6% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, licensing.mp.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:33:20	API Interceptor	1x Sleep call for process: Packing list.exe modified

Process:	C:\Users\user\Desktop\Packing list.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

Download File

Process:	C:\Users\user\Desktop\Packing list.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.17949713007774
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKButn:cbhC7ZlNQF/rydbz9I3YODOLNdq3W
MD5:	6527089BACCDC5417F25E75F643B1384
SHA1:	5DC2EEC38E431AAD51106626913E4AD0D74D241F
SHA-256:	661A8DEBE0FB8BCB91202D6806C30BE748E69709EC0C57FDC4D992CB855687D4
SHA-512:	4D238245D556825E9CAE02EE2712C82CEB9819EC4F062C437CB1BB8349AF1AF895D921E73D91CBDDEC66047852DA4C87B83F06C0418EFA77FC28D6354758C879
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Download File

Process:	C:\Users\user\Desktop\Packing list.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	866816
Entropy (8bit):	7.774266041426872
Encrypted:	false
SSDEEP:	12288:Py5/O6uz02iN2SeIo4D6KftU7+ZbWLlbjskXIdpcum3FO9m/8UgxBzifEBJw87o:PIWE18SeWOKft2lJbPQcnM68UmXo
MD5:	C7A4E2993E53B71353110DEBF193F711
SHA1:	C5CC5B995685CF3474D0998DC8F8BE0080635F2C
SHA-256:	2698F26BC94C6EE64DD216F13C805F6A2EE512C47F1A23F026DD606ADC42FCB9
SHA-512:	B657DCF76D2BBEFB933738E61948886DBA367AAF8DF226175114C8261580C2AA6D821E93F1F9FF56740825B683403A5726681202B535E7D010A240972A361819
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P..0...........N... ...`....@.. ....................................@.................................hN..O....`............................................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................N......H.......8~..XH...........................................................( ...&..(!.....s"........s#........s$........s%........s&...........0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0...........~....o....+...0...........~....o+....+...0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+...0...........~.....+.."........0..&........(....r5..p~....o0...(1.....t$....+..*...0..&........(....rC..p~....o0...(1.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.774266041426872
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Packing list.exe
File size:	866816
MD5:	c7a4e2993e53b71353110debf193f711
SHA1:	c5cc5b995685cf3474d0998dc8f8be0080635f2c
SHA256:	2698f26bc94c6ee64dd216f13c805f6a2ee512c47f1a23f026dd606adc42fcb9
SHA512:	b657dcf76d2bbefb933738e61948886dba367aaf8df226175114c8261580c2aa6d821e93f1f9ff56740825b683403a5726681202b535e7d010a240972a361819
SSDEEP:	12288:Py5/O6uz02iN2SeIo4D6KftU7+ZbWLlbjskXIdpcum3FO9m/8UgxBzifEBJw87o:PIWE18SeWOKft2lJbPQcnM68UmXo
TLSH:	0C05F1F09AF9B658F035637636D0A03C6BF3EA1BC908E1399D67934D9316EC145E1A23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............P..0...........N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d4eba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F118C3 [Mon Aug 8 14:08:03 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd4e68	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd6000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd2ec0	0xd3000	False	0.8657967083827014	data	7.781035493181961	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd6000	0x5b4	0x600	False	0.427734375	data	4.099660684112187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd6090	0x324	data
RT_MANIFEST	0xd63c4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 18:34:59.524580002 CEST	58748	53	192.168.2.5	8.8.8.8
Aug 8, 2022 18:34:59.548988104 CEST	53	58748	8.8.8.8	192.168.2.5
Aug 8, 2022 18:35:09.584357977 CEST	62972	53	192.168.2.5	8.8.8.8
Aug 8, 2022 18:35:09.629686117 CEST	53	62972	8.8.8.8	192.168.2.5
Aug 8, 2022 18:35:19.659698009 CEST	64559	53	192.168.2.5	8.8.8.8
Aug 8, 2022 18:35:19.717200041 CEST	53	64559	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 18:34:59.524580002 CEST	192.168.2.5	8.8.8.8	0x5c60	Standard query (0)	www.chillsafe.online	A (IP address)	IN (0x0001)
Aug 8, 2022 18:35:09.584357977 CEST	192.168.2.5	8.8.8.8	0xb990	Standard query (0)	www.alshared.info	A (IP address)	IN (0x0001)
Aug 8, 2022 18:35:19.659698009 CEST	192.168.2.5	8.8.8.8	0x88e0	Standard query (0)	www.rewaard.club	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 18:34:59.548988104 CEST	8.8.8.8	192.168.2.5	0x5c60	No error (0)	www.chillsafe.online	tropical-basin-s8sbx7dp132gwikfbpmorir6.herokudns.com		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 18:35:09.629686117 CEST	8.8.8.8	192.168.2.5	0xb990	Name error (3)	www.alshared.info	none	none	A (IP address)	IN (0x0001)
Aug 8, 2022 18:35:19.717200041 CEST	8.8.8.8	192.168.2.5	0x88e0	No error (0)	www.rewaard.club	rewaard.club		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 18:35:19.717200041 CEST	8.8.8.8	192.168.2.5	0x88e0	No error (0)	rewaard.club		185.192.114.83	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	18:33:09
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Packing list.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Packing list.exe"
Imagebase:	0xe70000
File size:	866816 bytes
MD5 hash:	C7A4E2993E53B71353110DEBF193F711
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.464998989.00000000043B9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: schtasks.exePID: 6020, Parent PID: 6064

General

Target ID:	6
Start time:	18:33:28
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcWxLdFqdoHatB" /XML "C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp
Imagebase:	0x1250000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5788, Parent PID: 6020

General

Target ID:	7
Start time:	18:33:28
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Packing list.exePID: 1320, Parent PID: 6064

General

Target ID:	8
Start time:	18:33:29
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Packing list.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xff0000
File size:	866816 bytes
MD5 hash:	C7A4E2993E53B71353110DEBF193F711
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.455277708.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exePID: 684, Parent PID: 1320

General

Target ID:	10
Start time:	18:33:33
Start date:	08/08/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff74fc70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.542334317.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.521600311.000000000ACD4000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: raserver.exePID: 3856, Parent PID: 684

General

Target ID:	19
Start time:	18:34:15
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0x350000
File size:	108544 bytes
MD5 hash:	2AADF65E395BFBD0D9B71D7279C8B5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.682502518.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.679680318.0000000000600000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.682654257.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Packing list.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Packing list.exe.log

C:\Users\user\AppData\Local\Temp\tmp7D6D.tmp

C:\Users\user\AppData\Roaming\jcWxLdFqdoHatB.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
Packing list.exe