Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report bVsKNuwn30

Overview

General Information

Sample Name:bVsKNuwn30 (renamed file extension from none to exe)
Analysis ID:433069
MD5:3c88c6ef1a906bc81fc6b5b7fc478e0c
SHA1:1007ea59d9c209f367a1873ae6da2eac5fad81ef
SHA256:1754283e0b6bbbbeb69f165e54e3795d3e34ca14aa7bd8bd3b7dcdd97f7dfca8
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bVsKNuwn30.exe (PID: 6700 cmdline: 'C:\Users\user\Desktop\bVsKNuwn30.exe' MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)
    • bVsKNuwn30.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 3532 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 5548 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
bVsKNuwn30.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 36 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.bVsKNuwn30.exe.660000.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            19.2.msiexec.exe.4eef834.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.bVsKNuwn30.exe.6f0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                12.2.bVsKNuwn30.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                  12.2.bVsKNuwn30.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                  • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                  • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                  • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                  • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                  • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                  • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                  • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                  • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                  • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                  • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
                  • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                  Click to see the 17 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeVirustotal: Detection: 51%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeMetadefender: Detection: 20%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: bVsKNuwn30.exeVirustotal: Detection: 51%Perma Link
                  Source: bVsKNuwn30.exeMetadefender: Detection: 20%Perma Link
                  Source: bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: bVsKNuwn30.exeJoe Sandbox ML: detected
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: bVsKNuwn30.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: bVsKNuwn30.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 4x nop then pop esi
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 4x nop then pop edi
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: www.bucksnortneola.com/gw2/
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.comodoca.com0#
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.sectigo.com0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
                  Source: bVsKNuwn30.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: bVsKNuwn30.exeString found in binary or memory: https://sectigo.com/CPS0D
                  Source: bVsKNuwn30.exeString found in binary or memory: https://sectigo.com/CPS0U
                  Source: bVsKNuwn30.exeString found in binary or memory: https://secure.comodo.com/CPS0L
                  Source: bVsKNuwn30.exe, 0000000C.00000002.542410721.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess Stats: CPU usage > 98%
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419D60 NtCreateFile,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E10 NtReadFile,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E90 NtClose,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419F40 NtAllocateVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419D5A NtCreateFile,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E8B NtClose,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419F3A NtAllocateVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9540 NtReadFile,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A99A0 NtCreateSection,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A95D0 NtClose,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9840 NtDelayExecution,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9860 NtQuerySystemInformation,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A98F0 NtReadVirtualMemory,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9710 NtQueryInformationToken,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9780 NtMapViewOfSection,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A20 NtResumeThread,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A50 NtCreateFile,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AAD30 NtSetContextThread,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9520 NtWaitForSingleObject,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9950 NtQueueApcThread,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9560 NtWriteFile,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A99D0 NtCreateProcessEx,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A95F0 NtQueryInformationFile,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9820 NtEnumerateKey,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AB040 NtSuspendThread,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A98A0 NtWriteVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA710 NtOpenProcessToken,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9B00 NtSetValueKey,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9730 NtQueryVirtualMemory,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9770 NtSetInformationFile,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA770 NtOpenThread,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9760 NtOpenProcess,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA3B0 NtGetContextThread,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9FE0 NtCreateMutant,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9610 NtEnumerateValueKey,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A10 NtQuerySection,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9650 NtQueryValueKey,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9670 NtQueryInformationProcess,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A80 NtOpenDirectoryObject,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A96D0 NtCreateKey,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29860 NtQuerySystemInformation,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29840 NtDelayExecution,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A299A0 NtCreateSection,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A295D0 NtClose,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29540 NtReadFile,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A296E0 NtFreeVirtualMemory,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A296D0 NtCreateKey,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29660 NtAllocateVirtualMemory,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29650 NtQueryValueKey,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A50 NtCreateFile,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29780 NtMapViewOfSection,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29FE0 NtCreateMutant,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29710 NtQueryInformationToken,LdrInitializeThunk,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A298A0 NtWriteVirtualMemory,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A298F0 NtReadVirtualMemory,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29820 NtEnumerateKey,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2B040 NtSuspendThread,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A295F0 NtQueryInformationFile,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A299D0 NtCreateProcessEx,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29520 NtWaitForSingleObject,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2AD30 NtSetContextThread,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29560 NtWriteFile,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29950 NtQueueApcThread,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A80 NtOpenDirectoryObject,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A20 NtResumeThread,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A00 NtProtectVirtualMemory,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29610 NtEnumerateValueKey,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A10 NtQuerySection,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29670 NtQueryInformationProcess,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A297A0 NtUnmapViewOfSection,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A3B0 NtGetContextThread,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29730 NtQueryVirtualMemory,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29B00 NtSetValueKey,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A710 NtOpenProcessToken,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29760 NtOpenProcess,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29770 NtSetInformationFile,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A770 NtOpenThread,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9D60 NtCreateFile,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E10 NtReadFile,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E90 NtClose,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9F40 NtAllocateVirtualMemory,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9D5A NtCreateFile,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E8B NtClose,
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9F3A NtAllocateVirtualMemory,
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F917B0
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91C28
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91C18
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91795
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_0528F528
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_05280007
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_05280040
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_05286B28
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00401030
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D8BA
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D988
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041E2F2
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_004012FB
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DA9E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402D88
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402D90
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409E40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DE31
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409E3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D719
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CFA3
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CFA6
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402FB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DFB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116F900
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01160D20
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01231D55
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221002
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B090
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119EBB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01186E30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB090
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F841F
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1002
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EF900
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E0D20
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB1D55
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A06E30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1EBB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CE2F2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2D90
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2D88
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B9E40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B9E3B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2FB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCFA6
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe 1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 049EB150 appears 35 times
                  Source: bVsKNuwn30.exeStatic PE information: invalid certificate
                  Source: bVsKNuwn30.exe, 00000000.00000002.491736102.00000000050E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZcmwzsmpuvltki.dll" vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.484948523.000000000076E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491858013.0000000005120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.490881651.0000000004F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.489244106.0000000003ABD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZmhikajpuu.dll6 vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491869526.0000000005130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000002.542377429.0000000000E2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000000.484196822.00000000006DE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000002.543477824.00000000013EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exeBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                  Source: bVsKNuwn30.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: bVsKNuwn30.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: bVsKNuwn30.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/0
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVsKNuwn30.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: bVsKNuwn30.exeVirustotal: Detection: 51%
                  Source: bVsKNuwn30.exeMetadefender: Detection: 20%
                  Source: bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile read: C:\Users\user\Desktop\bVsKNuwn30.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\bVsKNuwn30.exe 'C:\Users\user\Desktop\bVsKNuwn30.exe'
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: bVsKNuwn30.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: bVsKNuwn30.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: bVsKNuwn30.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  Yara detected Costura Assembly LoaderShow sources
                  Source: Yara matchFile source: bVsKNuwn30.exe, type: SAMPLE
                  Source: Yara matchFile source: 0000000C.00000000.482709799.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484079723.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.481505916.0000000000CB7000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.601052355.0000000004EEF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.331883063.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.484632271.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.599515980.000000000469F000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.539491426.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bVsKNuwn30.exe PID: 5612, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bVsKNuwn30.exe PID: 6700, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, type: DROPPED
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.660000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.msiexec.exe.4eef834.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.660000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.msiexec.exe.4eef834.4.unpack, type: UNPACKEDPE
                  Source: bVsKNuwn30.exeStatic PE information: 0xD669075E [Tue Dec 28 08:16:30 2083 UTC]
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F962B5 push 8BFFFFFEh; retf
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F95265 push ecx; retf
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F94E5C pushad ; iretd
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00417B68 push ebx; ret
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CEB5 push eax; ret
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF6C push eax; ret
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF02 push eax; ret
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF0B push eax; ret
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_004167E2 push esi; retf
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0040C78D push ecx; iretd
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011BD0D1 push ecx; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A3D0D1 push ecx; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C7B68 push ebx; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCEB5 push eax; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF6C push eax; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF0B push eax; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF02 push eax; ret
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C67E2 push esi; retf
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007BC78D push ecx; iretd
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99300765862
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99300765862
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                  Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE8
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                  Tries to detect virtualization through RDTSC time measurementsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000007B98E4 second address: 00000000007B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000007B9B5E second address: 00000000007B9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409A90 rdtsc
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exe TID: 6732Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeThread delayed: delay time: 922337203685477
                  Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                  Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`1
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                  Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P1
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}82eb45d9c96749644b820
                  Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                  Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Microsoft.WBT
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409A90 rdtsc
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91120 LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119513A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119513A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116AD30 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01187D50 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A3D43 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3540 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C182 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119A185 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011935A1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01218DF1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119BC2C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01234015 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01234015 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01180050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01180050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01222073 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01231074 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118746D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169080 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A90AF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_012214FB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238CD6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119E730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123070D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123070D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122131B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238F6A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116F358 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116DB40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117EF40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116DB60 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117FF60 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238B58 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01235BA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121D380 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122138A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121FE3F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116E620 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238A62 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A927A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117766D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119D294 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119D294 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFE87 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FAB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E46A7 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011936CC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121FEC0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238ED6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011776E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011916E0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F849B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A290AF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9080 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1F0BF mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1F0BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1F0BF mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A63884 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A63884 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA14FB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E58EC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8CD6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1BC2C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB4015 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB4015 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0746D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA2073 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB1074 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A44B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A00050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A00050 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7C450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7C450 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A135A1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A669A6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A161A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A161A0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB05AC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB05AC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0C182 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A185 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12990 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1FD9B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1FD9B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A741E8 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A98DF1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A6A537 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1513A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1513A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EAD30 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0C577 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A23D43 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0B944 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0B944 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A63540 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB171 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB171 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A07D50 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC962 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A646A7 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1FAB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7FE87 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FAAB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FAAB0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1D294 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1D294 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A116E0 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12AE4 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A28EC7 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9FEC0 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12ACB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A136CC mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8ED6 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F76E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EAA16 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EAA16 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A24A2C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A24A2C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F8A0A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9FE3F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A18E00 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A03A1C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A61C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A61C mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EE620 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9B260 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9B260 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8A62 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2927A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A74257 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F766D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F8794 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB5BA5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F1B8F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F1B8F mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA138A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9D380 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1B390 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12397 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0DBE9 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A237F5 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A653CA mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A653CA mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1E730 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB070D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB070D mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A70E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A70E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E4F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E4F2E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA131B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0F716 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7FF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7FF10 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8F6A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EF358 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A13B7A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A13B7A mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EDB40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FEF40 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8B58 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EDB60 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FFF60 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Maps a DLL or memory area into another processShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                  Modifies the context of a thread in another process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeThread register set: target process: 3440
                  Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3440
                  Queues an APC in another process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeThread APC queued: target process: C:\Windows\explorer.exe
                  Sample uses process hollowing techniqueShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 10D0000
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                  Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 0000000E.00000000.514299657.00000000008B8000.00000004.00000020.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeQueries volume information: C:\Users\user\Desktop\bVsKNuwn30.exe VolumeInformation
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  Remote Access Functionality:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsShared Modules1DLL Side-Loading1Process Injection412Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSSystem Information Discovery112Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection412LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)DLL Side-Loading1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  bVsKNuwn30.exe51%VirustotalBrowse
                  bVsKNuwn30.exe26%MetadefenderBrowse
                  bVsKNuwn30.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  bVsKNuwn30.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe51%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe26%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  12.2.bVsKNuwn30.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  12.0.bVsKNuwn30.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  www.bucksnortneola.com/gw2/1%VirustotalBrowse
                  www.bucksnortneola.com/gw2/0%Avira URL Cloudsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.bucksnortneola.com/gw2/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0bVsKNuwn30.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://sectigo.com/CPS0UbVsKNuwn30.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tbVsKNuwn30.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#bVsKNuwn30.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://sectigo.com/CPS0DbVsKNuwn30.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      https://secure.comodo.com/CPS0LbVsKNuwn30.exefalse
                                        		high
                                        http://www.fonts.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://us1.unwiredlabs.com/v2/process.phpbVsKNuwn30.exefalse
                                            		high
                                            http://us1.unwiredlabs.com/v2/process.php?application/json;bVsKNuwn30.exefalse
                                              		high

                                              Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:32.0.0 Black Diamond
                                              Analysis ID:433069
                                              Start date:11.06.2021
                                              Start time:08:49:25
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 27s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:bVsKNuwn30 (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/3@0/0
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 15.5% (good quality ratio 13.9%)
                                              • Quality average: 74.7%
                                              • Quality standard deviation: 31.3%
                                              HCA Information:
                                              • Successful, ratio: 96%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Not all processes where analyzed, report is missing behavior information

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRFL_PO 69002.docGet hashmaliciousBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVsKNuwn30.exe.log
                                                Process:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):425
                                                Entropy (8bit):5.340009400190196
                                                Encrypted:false
                                                SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                MD5:CC144808DBAF00E03294347EADC8E779
                                                SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                                                Process:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):533488
                                                Entropy (8bit):7.949126101574067
                                                Encrypted:false
                                                SSDEEP:12288:A4tWKG1Gu7iTQezjBwaxITEI3ENCYyuqoTGYA6TJqiU1:A4tc1Gu7KzurgI3FBOAmqb1
                                                MD5:3C88C6EF1A906BC81FC6B5B7FC478E0C
                                                SHA1:1007EA59D9C209F367A1873AE6DA2EAC5FAD81EF
                                                SHA-256:1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
                                                SHA-512:87841B94DB9F67D856CBCC4E14BE6AB56716FFFCA161ADCF23EA5931ED3A2843C5207004E0E5AE7E9E764D9D2825993E2565BE10600134B89677F7734457A0F0
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, Author: Joe Security
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: Virustotal, Detection: 51%, Browse
                                                • Antivirus: Metadefender, Detection: 26%, Browse
                                                • Antivirus: ReversingLabs, Detection: 55%
                                                Joe Sandbox View:
                                                • Filename: RFL_PO 69002.doc, Detection: malicious, Browse
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.i...............0......J........... ........@.. .......................`............@.....................................S........F...............'...@......l................................................ ............... ..H............text....... ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B........................H..................&....*..............................................(1...*..(....(...........s....o......}....*.0..F.......(....r...po.....s.......o....(.....o....o........,..o......,..o......*...........0..........*:.......~....*.......*..0..'..........+. ....(......Y..-.s....o.....{....*.*..(....*..{....*"..}....*..{....*"..}....*>..(......(....*..{....*"..}....*..{....*"..}....*>..(......(....*..(.0..b........s......s.....r9..p.o.........(....(....r]..p.o.........(...
                                                C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview: [ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.949126101574067
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:bVsKNuwn30.exe
                                                File size:533488
                                                MD5:3c88c6ef1a906bc81fc6b5b7fc478e0c
                                                SHA1:1007ea59d9c209f367a1873ae6da2eac5fad81ef
                                                SHA256:1754283e0b6bbbbeb69f165e54e3795d3e34ca14aa7bd8bd3b7dcdd97f7dfca8
                                                SHA512:87841b94db9f67d856cbcc4e14be6ab56716fffca161adcf23ea5931ed3a2843c5207004e0e5ae7e9e764d9d2825993e2565be10600134b89677f7734457a0f0
                                                SSDEEP:12288:A4tWKG1Gu7iTQezjBwaxITEI3ENCYyuqoTGYA6TJqiU1:A4tc1Gu7KzurgI3FBOAmqb1
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.i...............0......J........... ........@.. .......................`............@................................

                                                File Icon

                                                Icon Hash:23d8dcd2d8d85047

                                                Static PE Info

                                                General

                                                Entrypoint:0x47cfde
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0xD669075E [Tue Dec 28 08:16:30 2083 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Authenticode Signature

                                                Signature Valid:false
                                                Signature Issuer:CN=COMODO RSA Extended Validation Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                Signature Validation Error:The digital signature of the object did not verify
                                                Error Number:-2146869232
                                                Not Before, Not After
                                                • 10/6/2019 5:00:00 PM 10/6/2022 4:59:59 PM
                                                Subject Chain
                                                • CN=Telegram FZ-LLC, O=Telegram FZ-LLC, STREET="Business Central Towers, Tower A, Office 2301 2303", L=Dubai, S=Dubai, C=AE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=AE, SERIALNUMBER=94349
                                                Version:3
                                                Thumbprint MD5:034F2391B5CE85A7D99BC43FE240F70F
                                                Thumbprint SHA-1:D4C89B25D3E92D05B44BC32C0CBFD7693613F3EE
                                                Thumbprint SHA-256:E31F1B9C3DDD0EDEFDF96F85B8FFD1DB976573BB262CC6E1154AD8FDC4D55449
                                                Serial:1F3216F428F850BE2C66CAA056F6D821

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7cf880x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x46e8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x7fc000x27f0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x7cf6c0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x7afe40x7b000False0.988739758003data7.99300765862IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x7e0000x46e80x4800False0.0667860243056data2.5375520699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x840000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x7e1000x4028data
                                                RT_GROUP_ICON0x821380x14data
                                                RT_VERSION0x8215c0x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                RT_MANIFEST0x824f80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright (C) 2014-2021
                                                Assembly Version2.7.4.0
                                                InternalNameRFL_0769002.exe
                                                FileVersion2.7.4.0
                                                CompanyNameTelegram FZ-LLC
                                                LegalTrademarks
                                                CommentsTelegram Desktop
                                                ProductNameTelegram Desktop
                                                ProductVersion2.7.4.0
                                                FileDescriptionTelegram Desktop
                                                OriginalFilenameRFL_0769002.exe

                                                Network Behavior

                                                No network behavior found

                                                Code Manipulations

                                                User Modules

                                                Hook Summary

                                                Function NameHook TypeActive in Processes
                                                PeekMessageAINLINEexplorer.exe
                                                PeekMessageWINLINEexplorer.exe
                                                GetMessageWINLINEexplorer.exe
                                                GetMessageAINLINEexplorer.exe

                                                Processes

                                                Process: explorer.exe, Module: user32.dll
                                                Function NameHook TypeNew Data
                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE8
                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE8
                                                GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE8
                                                GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE8

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: bVsKNuwn30.exe PID: 6700 Parent PID: 6008

                                                General

                                                Start time:08:50:21
                                                Start date:11/06/2021
                                                Path:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\bVsKNuwn30.exe'
                                                Imagebase:0x6f0000
                                                File size:533488 bytes
                                                MD5 hash:3C88C6EF1A906BC81FC6B5B7FC478E0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.481505916.0000000000CB7000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.331883063.00000000006F2000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.484632271.00000000006F2000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Analysis Process: bVsKNuwn30.exe PID: 5612 Parent PID: 6700

                                                General

                                                Start time:08:51:31
                                                Start date:11/06/2021
                                                Path:C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                                                Imagebase:0x7ff7ae910000
                                                File size:533488 bytes
                                                MD5 hash:3C88C6EF1A906BC81FC6B5B7FC478E0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000000.482709799.0000000000662000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000000.484079723.0000000000662000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.539491426.0000000000662000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 51%, Virustotal, Browse
                                                • Detection: 26%, Metadefender, Browse
                                                • Detection: 55%, ReversingLabs
                                                Reputation:low

                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 5612

                                                General

                                                Start time:08:51:34
                                                Start date:11/06/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:
                                                Imagebase:0x7ff6f22f0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: msiexec.exe PID: 3532 Parent PID: 3440

                                                General

                                                Start time:08:51:54
                                                Start date:11/06/2021
                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                Imagebase:0x10d0000
                                                File size:59904 bytes
                                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.601052355.0000000004EEF000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.599515980.000000000469F000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Analysis Process: cmd.exe PID: 5548 Parent PID: 3532

                                                General

                                                Start time:08:52:00
                                                Start date:11/06/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                                                Imagebase:0x2a0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 5560 Parent PID: 5548

                                                General

                                                Start time:08:52:00
                                                Start date:11/06/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >