Analysis Report bVsKNuwn30

Overview

General Information

Sample Name: bVsKNuwn30 (renamed file extension from none to exe)
Analysis ID: 433069
MD5: 3c88c6ef1a906bc81fc6b5b7fc478e0c
SHA1: 1007ea59d9c209f367a1873ae6da2eac5fad81ef
SHA256: 1754283e0b6bbbbeb69f165e54e3795d3e34ca14aa7bd8bd3b7dcdd97f7dfca8
Tags: exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Virustotal: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: bVsKNuwn30.exe Virustotal: Detection: 51% Perma Link
Source: bVsKNuwn30.exe Metadefender: Detection: 20% Perma Link
Source: bVsKNuwn30.exe ReversingLabs: Detection: 55%
Yara detected FormBook
Source: Yara match File source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: bVsKNuwn30.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.2.bVsKNuwn30.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.bVsKNuwn30.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: bVsKNuwn30.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: bVsKNuwn30.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_00F9F430
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 4x nop then pop esi 12_2_004172E4
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 4x nop then pop edi 12_2_00417D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop esi 19_2_007C72E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 19_2_007C7D55

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.bucksnortneola.com/gw2/
Source: bVsKNuwn30.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: bVsKNuwn30.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: bVsKNuwn30.exe String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: bVsKNuwn30.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: bVsKNuwn30.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: bVsKNuwn30.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: bVsKNuwn30.exe String found in binary or memory: http://ocsp.comodoca.com0#
Source: bVsKNuwn30.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: bVsKNuwn30.exe String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
Source: bVsKNuwn30.exe String found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: bVsKNuwn30.exe String found in binary or memory: https://sectigo.com/CPS0D
Source: bVsKNuwn30.exe String found in binary or memory: https://sectigo.com/CPS0U
Source: bVsKNuwn30.exe String found in binary or memory: https://secure.comodo.com/CPS0L

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: bVsKNuwn30.exe, 0000000C.00000002.542410721.0000000000EAA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419D60 NtCreateFile, 12_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419E10 NtReadFile, 12_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419E90 NtClose, 12_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419F40 NtAllocateVirtualMemory, 12_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419D5A NtCreateFile, 12_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419E8B NtClose, 12_2_00419E8B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00419F3A NtAllocateVirtualMemory, 12_2_00419F3A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_011A9910
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9540 NtReadFile,LdrInitializeThunk, 12_2_011A9540
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A99A0 NtCreateSection,LdrInitializeThunk, 12_2_011A99A0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A95D0 NtClose,LdrInitializeThunk, 12_2_011A95D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9840 NtDelayExecution,LdrInitializeThunk, 12_2_011A9840
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9860 NtQuerySystemInformation,LdrInitializeThunk, 12_2_011A9860
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A98F0 NtReadVirtualMemory,LdrInitializeThunk, 12_2_011A98F0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9710 NtQueryInformationToken,LdrInitializeThunk, 12_2_011A9710
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9780 NtMapViewOfSection,LdrInitializeThunk, 12_2_011A9780
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 12_2_011A97A0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 12_2_011A9A00
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9A20 NtResumeThread,LdrInitializeThunk, 12_2_011A9A20
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9A50 NtCreateFile,LdrInitializeThunk, 12_2_011A9A50
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 12_2_011A9660
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_011A96E0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011AAD30 NtSetContextThread, 12_2_011AAD30
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9520 NtWaitForSingleObject, 12_2_011A9520
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9950 NtQueueApcThread, 12_2_011A9950
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9560 NtWriteFile, 12_2_011A9560
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A99D0 NtCreateProcessEx, 12_2_011A99D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A95F0 NtQueryInformationFile, 12_2_011A95F0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9820 NtEnumerateKey, 12_2_011A9820
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011AB040 NtSuspendThread, 12_2_011AB040
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A98A0 NtWriteVirtualMemory, 12_2_011A98A0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011AA710 NtOpenProcessToken, 12_2_011AA710
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9B00 NtSetValueKey, 12_2_011A9B00
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9730 NtQueryVirtualMemory, 12_2_011A9730
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9770 NtSetInformationFile, 12_2_011A9770
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011AA770 NtOpenThread, 12_2_011AA770
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9760 NtOpenProcess, 12_2_011A9760
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011AA3B0 NtGetContextThread, 12_2_011AA3B0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9FE0 NtCreateMutant, 12_2_011A9FE0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9610 NtEnumerateValueKey, 12_2_011A9610
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9A10 NtQuerySection, 12_2_011A9A10
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9650 NtQueryValueKey, 12_2_011A9650
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9670 NtQueryInformationProcess, 12_2_011A9670
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A9A80 NtOpenDirectoryObject, 12_2_011A9A80
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A96D0 NtCreateKey, 12_2_011A96D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_04A29860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29840 NtDelayExecution,LdrInitializeThunk, 19_2_04A29840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A299A0 NtCreateSection,LdrInitializeThunk, 19_2_04A299A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A295D0 NtClose,LdrInitializeThunk, 19_2_04A295D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_04A29910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29540 NtReadFile,LdrInitializeThunk, 19_2_04A29540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A296E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_04A296E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A296D0 NtCreateKey,LdrInitializeThunk, 19_2_04A296D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_04A29660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29650 NtQueryValueKey,LdrInitializeThunk, 19_2_04A29650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29A50 NtCreateFile,LdrInitializeThunk, 19_2_04A29A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29780 NtMapViewOfSection,LdrInitializeThunk, 19_2_04A29780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29FE0 NtCreateMutant,LdrInitializeThunk, 19_2_04A29FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29710 NtQueryInformationToken,LdrInitializeThunk, 19_2_04A29710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A298A0 NtWriteVirtualMemory, 19_2_04A298A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A298F0 NtReadVirtualMemory, 19_2_04A298F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29820 NtEnumerateKey, 19_2_04A29820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A2B040 NtSuspendThread, 19_2_04A2B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A295F0 NtQueryInformationFile, 19_2_04A295F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A299D0 NtCreateProcessEx, 19_2_04A299D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29520 NtWaitForSingleObject, 19_2_04A29520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A2AD30 NtSetContextThread, 19_2_04A2AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29560 NtWriteFile, 19_2_04A29560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29950 NtQueueApcThread, 19_2_04A29950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29A80 NtOpenDirectoryObject, 19_2_04A29A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29A20 NtResumeThread, 19_2_04A29A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29A00 NtProtectVirtualMemory, 19_2_04A29A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29610 NtEnumerateValueKey, 19_2_04A29610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29A10 NtQuerySection, 19_2_04A29A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29670 NtQueryInformationProcess, 19_2_04A29670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A297A0 NtUnmapViewOfSection, 19_2_04A297A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A2A3B0 NtGetContextThread, 19_2_04A2A3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29730 NtQueryVirtualMemory, 19_2_04A29730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29B00 NtSetValueKey, 19_2_04A29B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A2A710 NtOpenProcessToken, 19_2_04A2A710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29760 NtOpenProcess, 19_2_04A29760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A29770 NtSetInformationFile, 19_2_04A29770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A2A770 NtOpenThread, 19_2_04A2A770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9D60 NtCreateFile, 19_2_007C9D60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9E10 NtReadFile, 19_2_007C9E10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9E90 NtClose, 19_2_007C9E90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9F40 NtAllocateVirtualMemory, 19_2_007C9F40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9D5A NtCreateFile, 19_2_007C9D5A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9E8B NtClose, 19_2_007C9E8B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C9F3A NtAllocateVirtualMemory, 19_2_007C9F3A
Detected potential crypto function
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F917B0 0_2_00F917B0
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F91C28 0_2_00F91C28
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F91C18 0_2_00F91C18
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F91795 0_2_00F91795
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_0528F528 0_2_0528F528
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_05280007 0_2_05280007
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_05280040 0_2_05280040
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_05286B28 0_2_05286B28
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00401030 12_2_00401030
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041D8BA 12_2_0041D8BA
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041D988 12_2_0041D988
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041E2F2 12_2_0041E2F2
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_004012FB 12_2_004012FB
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041DA9E 12_2_0041DA9E
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00402D88 12_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00402D90 12_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00409E40 12_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041DE31 12_2_0041DE31
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00409E3B 12_2_00409E3B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041D719 12_2_0041D719
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041CFA3 12_2_0041CFA3
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041CFA6 12_2_0041CFA6
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00402FB0 12_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041DFB0 12_2_0041DFB0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116F900 12_2_0116F900
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01160D20 12_2_01160D20
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01184120 12_2_01184120
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01231D55 12_2_01231D55
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221002 12_2_01221002
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117B090 12_2_0117B090
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119EBB0 12_2_0119EBB0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01186E30 12_2_01186E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FB090 19_2_049FB090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F841F 19_2_049F841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1002 19_2_04AA1002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12581 19_2_04A12581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FD5E0 19_2_049FD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A04120 19_2_04A04120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EF900 19_2_049EF900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E0D20 19_2_049E0D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB1D55 19_2_04AB1D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A06E30 19_2_04A06E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1EBB0 19_2_04A1EBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007CE2F2 19_2_007CE2F2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007B2D90 19_2_007B2D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007B2D88 19_2_007B2D88
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007B9E40 19_2_007B9E40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007B9E3B 19_2_007B9E3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007B2FB0 19_2_007B2FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007CCFA6 19_2_007CCFA6
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe 1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 049EB150 appears 35 times
PE / OLE file has an invalid certificate
Source: bVsKNuwn30.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: bVsKNuwn30.exe, 00000000.00000002.491736102.00000000050E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameZcmwzsmpuvltki.dll" vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.484948523.000000000076E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.491858013.0000000005120000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.490881651.0000000004F20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.489244106.0000000003ABD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameZmhikajpuu.dll6 vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 00000000.00000002.491869526.0000000005130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 0000000C.00000002.542377429.0000000000E2F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 0000000C.00000000.484196822.00000000006DE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe, 0000000C.00000002.543477824.00000000013EF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs bVsKNuwn30.exe
Source: bVsKNuwn30.exe Binary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: bVsKNuwn30.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: bVsKNuwn30.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bVsKNuwn30.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@0/0
Source: C:\Users\user\Desktop\bVsKNuwn30.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVsKNuwn30.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
Source: C:\Users\user\Desktop\bVsKNuwn30.exe File created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Jump to behavior
Source: bVsKNuwn30.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bVsKNuwn30.exe Virustotal: Detection: 51%
Source: bVsKNuwn30.exe Metadefender: Detection: 20%
Source: bVsKNuwn30.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\bVsKNuwn30.exe File read: C:\Users\user\Desktop\bVsKNuwn30.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\bVsKNuwn30.exe 'C:\Users\user\Desktop\bVsKNuwn30.exe'
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: bVsKNuwn30.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: bVsKNuwn30.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: bVsKNuwn30.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected Costura Assembly Loader
Source: Yara match File source: bVsKNuwn30.exe, type: SAMPLE
Source: Yara match File source: 0000000C.00000000.482709799.0000000000662000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.484079723.0000000000662000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.481505916.0000000000CB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.601052355.0000000004EEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.331883063.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.484632271.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.599515980.000000000469F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.539491426.0000000000662000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bVsKNuwn30.exe PID: 5612, type: MEMORY
Source: Yara match File source: Process Memory Space: bVsKNuwn30.exe PID: 6700, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, type: DROPPED
Source: Yara match File source: 12.2.bVsKNuwn30.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.msiexec.exe.4eef834.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.660000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.msiexec.exe.4eef834.4.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: bVsKNuwn30.exe Static PE information: 0xD669075E [Tue Dec 28 08:16:30 2083 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F962B5 push 8BFFFFFEh; retf 0_2_00F962BB
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F95265 push ecx; retf 0_2_00F9526C
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F94E5C pushad ; iretd 0_2_00F94E5D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00417B68 push ebx; ret 12_2_00417B69
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041CEB5 push eax; ret 12_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041CF6C push eax; ret 12_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041CF02 push eax; ret 12_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0041CF0B push eax; ret 12_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_004167E2 push esi; retf 12_2_004167F5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0040C78D push ecx; iretd 12_2_0040C78E
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011BD0D1 push ecx; ret 12_2_011BD0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A3D0D1 push ecx; ret 19_2_04A3D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C7B68 push ebx; ret 19_2_007C7B69
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007CCEB5 push eax; ret 19_2_007CCF08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007CCF6C push eax; ret 19_2_007CCF72
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007CCF0B push eax; ret 19_2_007CCF72
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007CCF02 push eax; ret 19_2_007CCF08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007C67E2 push esi; retf 19_2_007C67F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_007BC78D push ecx; iretd 19_2_007BC78E
Source: initial sample Static PE information: section name: .text entropy: 7.99300765862
Source: initial sample Static PE information: section name: .text entropy: 7.99300765862

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\bVsKNuwn30.exe File created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE8
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 00000000007B98E4 second address: 00000000007B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 00000000007B9B5E second address: 00000000007B9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00409A90 rdtsc 12_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\bVsKNuwn30.exe TID: 6732 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`1
Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P1
Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}82eb45d9c96749644b820
Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Microsoft.WBT
Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_00409A90 rdtsc 12_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Code function: 0_2_00F91120 LdrInitializeThunk, 0_2_00F91120
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169100 mov eax, dword ptr fs:[00000030h] 12_2_01169100
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169100 mov eax, dword ptr fs:[00000030h] 12_2_01169100
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169100 mov eax, dword ptr fs:[00000030h] 12_2_01169100
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01238D34 mov eax, dword ptr fs:[00000030h] 12_2_01238D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h] 12_2_01194D3B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h] 12_2_01194D3B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h] 12_2_01194D3B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119513A mov eax, dword ptr fs:[00000030h] 12_2_0119513A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119513A mov eax, dword ptr fs:[00000030h] 12_2_0119513A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h] 12_2_01173D34
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116AD30 mov eax, dword ptr fs:[00000030h] 12_2_0116AD30
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01184120 mov eax, dword ptr fs:[00000030h] 12_2_01184120
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01184120 mov eax, dword ptr fs:[00000030h] 12_2_01184120
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01184120 mov eax, dword ptr fs:[00000030h] 12_2_01184120
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01184120 mov eax, dword ptr fs:[00000030h] 12_2_01184120
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01184120 mov ecx, dword ptr fs:[00000030h] 12_2_01184120
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01187D50 mov eax, dword ptr fs:[00000030h] 12_2_01187D50
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A3D43 mov eax, dword ptr fs:[00000030h] 12_2_011A3D43
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h] 12_2_0118B944
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h] 12_2_0118B944
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E3540 mov eax, dword ptr fs:[00000030h] 12_2_011E3540
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h] 12_2_0116B171
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h] 12_2_0116B171
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h] 12_2_0118C577
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h] 12_2_0118C577
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h] 12_2_0119FD9B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h] 12_2_0119FD9B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0118C182 mov eax, dword ptr fs:[00000030h] 12_2_0118C182
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119A185 mov eax, dword ptr fs:[00000030h] 12_2_0119A185
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h] 12_2_01162D8A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h] 12_2_01162D8A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h] 12_2_01162D8A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h] 12_2_01162D8A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h] 12_2_01162D8A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011935A1 mov eax, dword ptr fs:[00000030h] 12_2_011935A1
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01218DF1 mov eax, dword ptr fs:[00000030h] 12_2_01218DF1
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h] 12_2_0116B1E1
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h] 12_2_0116B1E1
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h] 12_2_0116B1E1
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h] 12_2_011E7016
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h] 12_2_011E7016
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h] 12_2_011E7016
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h] 12_2_011E6C0A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h] 12_2_011E6C0A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h] 12_2_011E6C0A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h] 12_2_011E6C0A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h] 12_2_01221C06
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0123740D mov eax, dword ptr fs:[00000030h] 12_2_0123740D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0123740D mov eax, dword ptr fs:[00000030h] 12_2_0123740D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0123740D mov eax, dword ptr fs:[00000030h] 12_2_0123740D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119BC2C mov eax, dword ptr fs:[00000030h] 12_2_0119BC2C
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01234015 mov eax, dword ptr fs:[00000030h] 12_2_01234015
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01234015 mov eax, dword ptr fs:[00000030h] 12_2_01234015
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h] 12_2_0117B02A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h] 12_2_0117B02A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h] 12_2_0117B02A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h] 12_2_0117B02A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01180050 mov eax, dword ptr fs:[00000030h] 12_2_01180050
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01180050 mov eax, dword ptr fs:[00000030h] 12_2_01180050
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h] 12_2_011FC450
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h] 12_2_011FC450
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01222073 mov eax, dword ptr fs:[00000030h] 12_2_01222073
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01231074 mov eax, dword ptr fs:[00000030h] 12_2_01231074
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0118746D mov eax, dword ptr fs:[00000030h] 12_2_0118746D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169080 mov eax, dword ptr fs:[00000030h] 12_2_01169080
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h] 12_2_011E3884
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h] 12_2_011E3884
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119F0BF mov ecx, dword ptr fs:[00000030h] 12_2_0119F0BF
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h] 12_2_0119F0BF
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h] 12_2_0119F0BF
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A90AF mov eax, dword ptr fs:[00000030h] 12_2_011A90AF
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 12_2_011FB8D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FB8D0 mov ecx, dword ptr fs:[00000030h] 12_2_011FB8D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 12_2_011FB8D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 12_2_011FB8D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 12_2_011FB8D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h] 12_2_011FB8D0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_012214FB mov eax, dword ptr fs:[00000030h] 12_2_012214FB
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01238CD6 mov eax, dword ptr fs:[00000030h] 12_2_01238CD6
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h] 12_2_011FFF10
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h] 12_2_011FFF10
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119E730 mov eax, dword ptr fs:[00000030h] 12_2_0119E730
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0123070D mov eax, dword ptr fs:[00000030h] 12_2_0123070D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0123070D mov eax, dword ptr fs:[00000030h] 12_2_0123070D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h] 12_2_01164F2E
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h] 12_2_01164F2E
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0122131B mov eax, dword ptr fs:[00000030h] 12_2_0122131B
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01238F6A mov eax, dword ptr fs:[00000030h] 12_2_01238F6A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116F358 mov eax, dword ptr fs:[00000030h] 12_2_0116F358
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116DB40 mov eax, dword ptr fs:[00000030h] 12_2_0116DB40
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117EF40 mov eax, dword ptr fs:[00000030h] 12_2_0117EF40
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h] 12_2_01193B7A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h] 12_2_01193B7A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116DB60 mov ecx, dword ptr fs:[00000030h] 12_2_0116DB60
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117FF60 mov eax, dword ptr fs:[00000030h] 12_2_0117FF60
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01238B58 mov eax, dword ptr fs:[00000030h] 12_2_01238B58
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01235BA5 mov eax, dword ptr fs:[00000030h] 12_2_01235BA5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h] 12_2_01171B8F
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h] 12_2_01171B8F
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0121D380 mov ecx, dword ptr fs:[00000030h] 12_2_0121D380
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0122138A mov eax, dword ptr fs:[00000030h] 12_2_0122138A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h] 12_2_0116C600
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h] 12_2_0116C600
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h] 12_2_0116C600
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0121FE3F mov eax, dword ptr fs:[00000030h] 12_2_0121FE3F
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0116E620 mov eax, dword ptr fs:[00000030h] 12_2_0116E620
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h] 12_2_0121B260
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h] 12_2_0121B260
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01238A62 mov eax, dword ptr fs:[00000030h] 12_2_01238A62
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169240 mov eax, dword ptr fs:[00000030h] 12_2_01169240
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169240 mov eax, dword ptr fs:[00000030h] 12_2_01169240
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169240 mov eax, dword ptr fs:[00000030h] 12_2_01169240
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01169240 mov eax, dword ptr fs:[00000030h] 12_2_01169240
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h] 12_2_01177E41
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h] 12_2_01177E41
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h] 12_2_01177E41
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h] 12_2_01177E41
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h] 12_2_01177E41
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h] 12_2_01177E41
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011A927A mov eax, dword ptr fs:[00000030h] 12_2_011A927A
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0117766D mov eax, dword ptr fs:[00000030h] 12_2_0117766D
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h] 12_2_01230EA5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h] 12_2_01230EA5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h] 12_2_01230EA5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119D294 mov eax, dword ptr fs:[00000030h] 12_2_0119D294
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119D294 mov eax, dword ptr fs:[00000030h] 12_2_0119D294
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011FFE87 mov eax, dword ptr fs:[00000030h] 12_2_011FFE87
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0119FAB0 mov eax, dword ptr fs:[00000030h] 12_2_0119FAB0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h] 12_2_011652A5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h] 12_2_011652A5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h] 12_2_011652A5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h] 12_2_011652A5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h] 12_2_011652A5
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011E46A7 mov eax, dword ptr fs:[00000030h] 12_2_011E46A7
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011936CC mov eax, dword ptr fs:[00000030h] 12_2_011936CC
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_0121FEC0 mov eax, dword ptr fs:[00000030h] 12_2_0121FEC0
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_01238ED6 mov eax, dword ptr fs:[00000030h] 12_2_01238ED6
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011776E2 mov eax, dword ptr fs:[00000030h] 12_2_011776E2
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Code function: 12_2_011916E0 mov ecx, dword ptr fs:[00000030h] 12_2_011916E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h] 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h] 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h] 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h] 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h] 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h] 19_2_04A120A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F849B mov eax, dword ptr fs:[00000030h] 19_2_049F849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A290AF mov eax, dword ptr fs:[00000030h] 19_2_04A290AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9080 mov eax, dword ptr fs:[00000030h] 19_2_049E9080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1F0BF mov ecx, dword ptr fs:[00000030h] 19_2_04A1F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1F0BF mov eax, dword ptr fs:[00000030h] 19_2_04A1F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1F0BF mov eax, dword ptr fs:[00000030h] 19_2_04A1F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A63884 mov eax, dword ptr fs:[00000030h] 19_2_04A63884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A63884 mov eax, dword ptr fs:[00000030h] 19_2_04A63884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA14FB mov eax, dword ptr fs:[00000030h] 19_2_04AA14FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h] 19_2_04A66CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h] 19_2_04A66CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h] 19_2_04A66CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E58EC mov eax, dword ptr fs:[00000030h] 19_2_049E58EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04A7B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7B8D0 mov ecx, dword ptr fs:[00000030h] 19_2_04A7B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04A7B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04A7B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04A7B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_04A7B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB8CD6 mov eax, dword ptr fs:[00000030h] 19_2_04AB8CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h] 19_2_04A1002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h] 19_2_04A1002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h] 19_2_04A1002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h] 19_2_04A1002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h] 19_2_04A1002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1BC2C mov eax, dword ptr fs:[00000030h] 19_2_04A1BC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h] 19_2_04AB740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h] 19_2_04AB740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h] 19_2_04AB740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AA1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h] 19_2_04A66C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h] 19_2_04A66C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h] 19_2_04A66C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h] 19_2_04A66C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h] 19_2_04A67016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h] 19_2_04A67016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h] 19_2_04A67016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h] 19_2_049FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h] 19_2_049FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h] 19_2_049FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h] 19_2_049FB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB4015 mov eax, dword ptr fs:[00000030h] 19_2_04AB4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB4015 mov eax, dword ptr fs:[00000030h] 19_2_04AB4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0746D mov eax, dword ptr fs:[00000030h] 19_2_04A0746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA2073 mov eax, dword ptr fs:[00000030h] 19_2_04AA2073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB1074 mov eax, dword ptr fs:[00000030h] 19_2_04AB1074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1A44B mov eax, dword ptr fs:[00000030h] 19_2_04A1A44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A00050 mov eax, dword ptr fs:[00000030h] 19_2_04A00050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A00050 mov eax, dword ptr fs:[00000030h] 19_2_04A00050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7C450 mov eax, dword ptr fs:[00000030h] 19_2_04A7C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7C450 mov eax, dword ptr fs:[00000030h] 19_2_04A7C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A135A1 mov eax, dword ptr fs:[00000030h] 19_2_04A135A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A669A6 mov eax, dword ptr fs:[00000030h] 19_2_04A669A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A161A0 mov eax, dword ptr fs:[00000030h] 19_2_04A161A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A161A0 mov eax, dword ptr fs:[00000030h] 19_2_04A161A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB05AC mov eax, dword ptr fs:[00000030h] 19_2_04AB05AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB05AC mov eax, dword ptr fs:[00000030h] 19_2_04AB05AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h] 19_2_049E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h] 19_2_049E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h] 19_2_049E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h] 19_2_049E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h] 19_2_049E2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h] 19_2_04A11DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h] 19_2_04A11DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h] 19_2_04A11DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h] 19_2_04A651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h] 19_2_04A651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h] 19_2_04A651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h] 19_2_04A651BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h] 19_2_04A12581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h] 19_2_04A12581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h] 19_2_04A12581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h] 19_2_04A12581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0C182 mov eax, dword ptr fs:[00000030h] 19_2_04A0C182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1A185 mov eax, dword ptr fs:[00000030h] 19_2_04A1A185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12990 mov eax, dword ptr fs:[00000030h] 19_2_04A12990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1FD9B mov eax, dword ptr fs:[00000030h] 19_2_04A1FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1FD9B mov eax, dword ptr fs:[00000030h] 19_2_04A1FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A741E8 mov eax, dword ptr fs:[00000030h] 19_2_04A741E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A98DF1 mov eax, dword ptr fs:[00000030h] 19_2_04A98DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h] 19_2_04A66DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h] 19_2_04A66DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h] 19_2_04A66DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66DC9 mov ecx, dword ptr fs:[00000030h] 19_2_04A66DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h] 19_2_04A66DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h] 19_2_04A66DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_049EB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_049EB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_049EB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FD5E0 mov eax, dword ptr fs:[00000030h] 19_2_049FD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FD5E0 mov eax, dword ptr fs:[00000030h] 19_2_049FD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h] 19_2_04A04120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h] 19_2_04A04120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h] 19_2_04A04120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h] 19_2_04A04120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A04120 mov ecx, dword ptr fs:[00000030h] 19_2_04A04120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A6A537 mov eax, dword ptr fs:[00000030h] 19_2_04A6A537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h] 19_2_04A14D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h] 19_2_04A14D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h] 19_2_04A14D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1513A mov eax, dword ptr fs:[00000030h] 19_2_04A1513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1513A mov eax, dword ptr fs:[00000030h] 19_2_04A1513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h] 19_2_049E9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h] 19_2_049E9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h] 19_2_049E9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB8D34 mov eax, dword ptr fs:[00000030h] 19_2_04AB8D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h] 19_2_049F3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EAD30 mov eax, dword ptr fs:[00000030h] 19_2_049EAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0C577 mov eax, dword ptr fs:[00000030h] 19_2_04A0C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0C577 mov eax, dword ptr fs:[00000030h] 19_2_04A0C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A23D43 mov eax, dword ptr fs:[00000030h] 19_2_04A23D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0B944 mov eax, dword ptr fs:[00000030h] 19_2_04A0B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0B944 mov eax, dword ptr fs:[00000030h] 19_2_04A0B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A63540 mov eax, dword ptr fs:[00000030h] 19_2_04A63540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EB171 mov eax, dword ptr fs:[00000030h] 19_2_049EB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EB171 mov eax, dword ptr fs:[00000030h] 19_2_049EB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A07D50 mov eax, dword ptr fs:[00000030h] 19_2_04A07D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EC962 mov eax, dword ptr fs:[00000030h] 19_2_049EC962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A646A7 mov eax, dword ptr fs:[00000030h] 19_2_04A646A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h] 19_2_04AB0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h] 19_2_04AB0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h] 19_2_04AB0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1FAB0 mov eax, dword ptr fs:[00000030h] 19_2_04A1FAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7FE87 mov eax, dword ptr fs:[00000030h] 19_2_04A7FE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FAAB0 mov eax, dword ptr fs:[00000030h] 19_2_049FAAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FAAB0 mov eax, dword ptr fs:[00000030h] 19_2_049FAAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1D294 mov eax, dword ptr fs:[00000030h] 19_2_04A1D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1D294 mov eax, dword ptr fs:[00000030h] 19_2_04A1D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h] 19_2_049E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h] 19_2_049E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h] 19_2_049E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h] 19_2_049E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h] 19_2_049E52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A116E0 mov ecx, dword ptr fs:[00000030h] 19_2_04A116E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12AE4 mov eax, dword ptr fs:[00000030h] 19_2_04A12AE4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A28EC7 mov eax, dword ptr fs:[00000030h] 19_2_04A28EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A9FEC0 mov eax, dword ptr fs:[00000030h] 19_2_04A9FEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12ACB mov eax, dword ptr fs:[00000030h] 19_2_04A12ACB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A136CC mov eax, dword ptr fs:[00000030h] 19_2_04A136CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB8ED6 mov eax, dword ptr fs:[00000030h] 19_2_04AB8ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F76E2 mov eax, dword ptr fs:[00000030h] 19_2_049F76E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EAA16 mov eax, dword ptr fs:[00000030h] 19_2_049EAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EAA16 mov eax, dword ptr fs:[00000030h] 19_2_049EAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A24A2C mov eax, dword ptr fs:[00000030h] 19_2_04A24A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A24A2C mov eax, dword ptr fs:[00000030h] 19_2_04A24A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h] 19_2_049E5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E5210 mov ecx, dword ptr fs:[00000030h] 19_2_049E5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h] 19_2_049E5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h] 19_2_049E5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F8A0A mov eax, dword ptr fs:[00000030h] 19_2_049F8A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A9FE3F mov eax, dword ptr fs:[00000030h] 19_2_04A9FE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h] 19_2_049EC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h] 19_2_049EC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h] 19_2_049EC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A18E00 mov eax, dword ptr fs:[00000030h] 19_2_04A18E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A03A1C mov eax, dword ptr fs:[00000030h] 19_2_04A03A1C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1A61C mov eax, dword ptr fs:[00000030h] 19_2_04A1A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1A61C mov eax, dword ptr fs:[00000030h] 19_2_04A1A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EE620 mov eax, dword ptr fs:[00000030h] 19_2_049EE620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A9B260 mov eax, dword ptr fs:[00000030h] 19_2_04A9B260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A9B260 mov eax, dword ptr fs:[00000030h] 19_2_04A9B260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB8A62 mov eax, dword ptr fs:[00000030h] 19_2_04AB8A62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A0AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A0AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A0AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A0AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A0AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A2927A mov eax, dword ptr fs:[00000030h] 19_2_04A2927A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h] 19_2_049E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h] 19_2_049E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h] 19_2_049E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h] 19_2_049E9240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h] 19_2_049F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h] 19_2_049F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h] 19_2_049F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h] 19_2_049F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h] 19_2_049F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h] 19_2_049F7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A74257 mov eax, dword ptr fs:[00000030h] 19_2_04A74257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F766D mov eax, dword ptr fs:[00000030h] 19_2_049F766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F8794 mov eax, dword ptr fs:[00000030h] 19_2_049F8794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h] 19_2_04A14BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h] 19_2_04A14BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h] 19_2_04A14BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB5BA5 mov eax, dword ptr fs:[00000030h] 19_2_04AB5BA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F1B8F mov eax, dword ptr fs:[00000030h] 19_2_049F1B8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049F1B8F mov eax, dword ptr fs:[00000030h] 19_2_049F1B8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA138A mov eax, dword ptr fs:[00000030h] 19_2_04AA138A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A9D380 mov ecx, dword ptr fs:[00000030h] 19_2_04A9D380
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1B390 mov eax, dword ptr fs:[00000030h] 19_2_04A1B390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h] 19_2_04A67794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h] 19_2_04A67794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h] 19_2_04A67794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A12397 mov eax, dword ptr fs:[00000030h] 19_2_04A12397
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h] 19_2_04A103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h] 19_2_04A103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h] 19_2_04A103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h] 19_2_04A103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h] 19_2_04A103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h] 19_2_04A103E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0DBE9 mov eax, dword ptr fs:[00000030h] 19_2_04A0DBE9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A237F5 mov eax, dword ptr fs:[00000030h] 19_2_04A237F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A653CA mov eax, dword ptr fs:[00000030h] 19_2_04A653CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A653CA mov eax, dword ptr fs:[00000030h] 19_2_04A653CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1E730 mov eax, dword ptr fs:[00000030h] 19_2_04A1E730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB070D mov eax, dword ptr fs:[00000030h] 19_2_04AB070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB070D mov eax, dword ptr fs:[00000030h] 19_2_04AB070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1A70E mov eax, dword ptr fs:[00000030h] 19_2_04A1A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A1A70E mov eax, dword ptr fs:[00000030h] 19_2_04A1A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E4F2E mov eax, dword ptr fs:[00000030h] 19_2_049E4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049E4F2E mov eax, dword ptr fs:[00000030h] 19_2_049E4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AA131B mov eax, dword ptr fs:[00000030h] 19_2_04AA131B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A0F716 mov eax, dword ptr fs:[00000030h] 19_2_04A0F716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7FF10 mov eax, dword ptr fs:[00000030h] 19_2_04A7FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A7FF10 mov eax, dword ptr fs:[00000030h] 19_2_04A7FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB8F6A mov eax, dword ptr fs:[00000030h] 19_2_04AB8F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EF358 mov eax, dword ptr fs:[00000030h] 19_2_049EF358
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A13B7A mov eax, dword ptr fs:[00000030h] 19_2_04A13B7A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04A13B7A mov eax, dword ptr fs:[00000030h] 19_2_04A13B7A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EDB40 mov eax, dword ptr fs:[00000030h] 19_2_049EDB40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FEF40 mov eax, dword ptr fs:[00000030h] 19_2_049FEF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_04AB8B58 mov eax, dword ptr fs:[00000030h] 19_2_04AB8B58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049EDB60 mov ecx, dword ptr fs:[00000030h] 19_2_049EDB60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 19_2_049FFF60 mov eax, dword ptr fs:[00000030h] 19_2_049FFF60
Enables debug privileges
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 10D0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Process created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe' Jump to behavior
Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.514299657.00000000008B8000.00000004.00000020.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Queries volume information: C:\Users\user\Desktop\bVsKNuwn30.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bVsKNuwn30.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433069 Sample: bVsKNuwn30 Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 6 other signatures 2->37 10 bVsKNuwn30.exe 5 2->10         started        process3 file4 25 C:\Users\user\AppData\...\bVsKNuwn30.exe, PE32 10->25 dropped 27 C:\Users\...\bVsKNuwn30.exe:Zone.Identifier, ASCII 10->27 dropped 29 C:\Users\user\AppData\...\bVsKNuwn30.exe.log, ASCII 10->29 dropped 13 bVsKNuwn30.exe 10->13         started        process5 signatures6 45 Multi AV Scanner detection for dropped file 13->45 47 Machine Learning detection for dropped file 13->47 49 Modifies the context of a thread in another process (thread injection) 13->49 51 4 other signatures 13->51 16 explorer.exe 13->16 injected process7 process8 18 msiexec.exe 16->18         started        signatures9 39 Modifies the context of a thread in another process (thread injection) 18->39 41 Maps a DLL or memory area into another process 18->41 43 Tries to detect virtualization through RDTSC time measurements 18->43 21 cmd.exe 1 18->21         started        process10 process11 23 conhost.exe 21->23         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.bucksnortneola.com/gw2/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 low