Windows Analysis Report nji3Lg1ot6

Overview

General Information

Sample Name: nji3Lg1ot6 (renamed file extension from none to exe)
Analysis ID: 552997
MD5: 8eddcc35719034649f6947b2b08bcdf3
SHA1: 5506b69b4584f43232f45299192a540ec0197998
SHA256: 0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
Multi AV Scanner detection for submitted file
Source: nji3Lg1ot6.exe Virustotal: Detection: 37% Perma Link
Source: nji3Lg1ot6.exe ReversingLabs: Detection: 41%
Yara detected FormBook
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: nji3Lg1ot6.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.msiexec.exe.4baf840.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.msiexec.exe.2c5b358.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: nji3Lg1ot6.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: msiexec.pdb source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
Source: Binary string: msiexec.pdbGCTL source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: nji3Lg1ot6.exe, 00000000.00000003.294014026.0000000003090000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000000.00000003.290725743.0000000003220000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: nji3Lg1ot6.exe, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.alibabasdeli.com
Source: C:\Windows\explorer.exe Domain query: www.nanasyhogar.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.173.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 50.31.177.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gigasupplies.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.rthearts.com/nk6l/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1Host: www.nanasyhogar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1Host: www.alibabasdeli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1Host: www.gigasupplies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Jan 2022 02:39:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 188X-Sorting-Hat-ShopId: 60258091197X-Dc: gcp-europe-west1X-Request-ID: 077675b5-2854-474a-9745-e2e99dc925ceX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd37e035a694e0e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
Source: nji3Lg1ot6.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: nji3Lg1ot6.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: www.nanasyhogar.com
Source: global traffic HTTP traffic detected: GET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1Host: www.nanasyhogar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1Host: www.alibabasdeli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1Host: www.gigasupplies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F61

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: nji3Lg1ot6.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00404772 0_2_00404772
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041E261 1_2_0041E261
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041EB71 1_2_0041EB71
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041E3DA 1_2_0041E3DA
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041E4B4 1_2_0041E4B4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00409E4B 1_2_00409E4B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00409E50 1_2_00409E50
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041EEB5 1_2_0041EEB5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041D7DE 1_2_0041D7DE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041E79A 1_2_0041E79A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF20A8 1_2_00AF20A8
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3B090 1_2_00A3B090
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF28EC 1_2_00AF28EC
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AFE824 1_2_00AFE824
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A830 1_2_00A4A830
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1002 1_2_00AE1002
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A44120 1_2_00A44120
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2F900 1_2_00A2F900
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF22AE 1_2_00AF22AE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ADFA2B 1_2_00ADFA2B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5EBB0 1_2_00A5EBB0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE03DA 1_2_00AE03DA
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEDBD2 1_2_00AEDBD2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF2B28 1_2_00AF2B28
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4AB40 1_2_00A4AB40
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3841F 1_2_00A3841F
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AED466 1_2_00AED466
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52581 1_2_00A52581
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3D5E0 1_2_00A3D5E0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF25DD 1_2_00AF25DD
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A20D20 1_2_00A20D20
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF2D07 1_2_00AF2D07
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF1D55 1_2_00AF1D55
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF2EF7 1_2_00AF2EF7
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A46E30 1_2_00A46E30
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AED616 1_2_00AED616
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF1FF1 1_2_00AF1FF1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AFDFCE 1_2_00AFDFCE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476D466 7_2_0476D466
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B841F 7_2_046B841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04771D55 7_2_04771D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A0D20 7_2_046A0D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04772D07 7_2_04772D07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BD5E0 7_2_046BD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047725DD 7_2_047725DD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D2581 7_2_046D2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C6E30 7_2_046C6E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476D616 7_2_0476D616
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04772EF7 7_2_04772EF7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04771FF1 7_2_04771FF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477DFCE 7_2_0477DFCE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477E824 7_2_0477E824
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CA830 7_2_046CA830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761002 7_2_04761002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047728EC 7_2_047728EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047720A8 7_2_047720A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BB090 7_2_046BB090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4120 7_2_046C4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AF900 7_2_046AF900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C99BF 7_2_046C99BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0475FA2B 7_2_0475FA2B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047722AE 7_2_047722AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CAB40 7_2_046CAB40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04772B28 7_2_04772B28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476DBD2 7_2_0476DBD2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047603DA 7_2_047603DA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DEBB0 7_2_046DEBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DEB71 7_2_006DEB71
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006C2D90 7_2_006C2D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006C9E4B 7_2_006C9E4B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006C9E50 7_2_006C9E50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DEEB5 7_2_006DEEB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DD7DE 7_2_006DD7DE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006C2FB0 7_2_006C2FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DE79A 7_2_006DE79A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: String function: 00A2B150 appears 72 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 046AB150 appears 72 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A350 NtCreateFile, 1_2_0041A350
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A400 NtReadFile, 1_2_0041A400
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A480 NtClose, 1_2_0041A480
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A530 NtAllocateVirtualMemory, 1_2_0041A530
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A34A NtCreateFile, 1_2_0041A34A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A3FB NtReadFile, 1_2_0041A3FB
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041A47B NtClose, 1_2_0041A47B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A698F0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A69860
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69840 NtDelayExecution,LdrInitializeThunk, 1_2_00A69840
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A699A0 NtCreateSection,LdrInitializeThunk, 1_2_00A699A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A69910
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69A20 NtResumeThread,LdrInitializeThunk, 1_2_00A69A20
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A69A00
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69A50 NtCreateFile,LdrInitializeThunk, 1_2_00A69A50
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A695D0 NtClose,LdrInitializeThunk, 1_2_00A695D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69540 NtReadFile,LdrInitializeThunk, 1_2_00A69540
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A696E0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A69660
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A697A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A69780
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A69710
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A698A0 NtWriteVirtualMemory, 1_2_00A698A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69820 NtEnumerateKey, 1_2_00A69820
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A6B040 NtSuspendThread, 1_2_00A6B040
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A699D0 NtCreateProcessEx, 1_2_00A699D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69950 NtQueueApcThread, 1_2_00A69950
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69A80 NtOpenDirectoryObject, 1_2_00A69A80
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69A10 NtQuerySection, 1_2_00A69A10
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A6A3B0 NtGetContextThread, 1_2_00A6A3B0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69B00 NtSetValueKey, 1_2_00A69B00
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A695F0 NtQueryInformationFile, 1_2_00A695F0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69520 NtWaitForSingleObject, 1_2_00A69520
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A6AD30 NtSetContextThread, 1_2_00A6AD30
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69560 NtWriteFile, 1_2_00A69560
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A696D0 NtCreateKey, 1_2_00A696D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69610 NtEnumerateValueKey, 1_2_00A69610
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69670 NtQueryInformationProcess, 1_2_00A69670
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69650 NtQueryValueKey, 1_2_00A69650
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69FE0 NtCreateMutant, 1_2_00A69FE0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A69730 NtQueryVirtualMemory, 1_2_00A69730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9540 NtReadFile,LdrInitializeThunk, 7_2_046E9540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E95D0 NtClose,LdrInitializeThunk, 7_2_046E95D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_046E96E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E96D0 NtCreateKey,LdrInitializeThunk, 7_2_046E96D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9710 NtQueryInformationToken,LdrInitializeThunk, 7_2_046E9710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9FE0 NtCreateMutant,LdrInitializeThunk, 7_2_046E9FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9780 NtMapViewOfSection,LdrInitializeThunk, 7_2_046E9780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_046E9860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9840 NtDelayExecution,LdrInitializeThunk, 7_2_046E9840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_046E9910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E99A0 NtCreateSection,LdrInitializeThunk, 7_2_046E99A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9A50 NtCreateFile,LdrInitializeThunk, 7_2_046E9A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9560 NtWriteFile, 7_2_046E9560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9520 NtWaitForSingleObject, 7_2_046E9520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EAD30 NtSetContextThread, 7_2_046EAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E95F0 NtQueryInformationFile, 7_2_046E95F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9660 NtAllocateVirtualMemory, 7_2_046E9660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9670 NtQueryInformationProcess, 7_2_046E9670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9650 NtQueryValueKey, 7_2_046E9650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9610 NtEnumerateValueKey, 7_2_046E9610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9760 NtOpenProcess, 7_2_046E9760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EA770 NtOpenThread, 7_2_046EA770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9770 NtSetInformationFile, 7_2_046E9770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9730 NtQueryVirtualMemory, 7_2_046E9730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EA710 NtOpenProcessToken, 7_2_046EA710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E97A0 NtUnmapViewOfSection, 7_2_046E97A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EB040 NtSuspendThread, 7_2_046EB040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9820 NtEnumerateKey, 7_2_046E9820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E98F0 NtReadVirtualMemory, 7_2_046E98F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E98A0 NtWriteVirtualMemory, 7_2_046E98A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9950 NtQueueApcThread, 7_2_046E9950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E99D0 NtCreateProcessEx, 7_2_046E99D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9A20 NtResumeThread, 7_2_046E9A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9A00 NtProtectVirtualMemory, 7_2_046E9A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9A10 NtQuerySection, 7_2_046E9A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9A80 NtOpenDirectoryObject, 7_2_046E9A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E9B00 NtSetValueKey, 7_2_046E9B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EA3B0 NtGetContextThread, 7_2_046EA3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DA350 NtCreateFile, 7_2_006DA350
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DA400 NtReadFile, 7_2_006DA400
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DA480 NtClose, 7_2_006DA480
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DA34A NtCreateFile, 7_2_006DA34A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DA3FB NtReadFile, 7_2_006DA3FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DA47B NtClose, 7_2_006DA47B
Sample file is different than original file name gathered from version info
Source: nji3Lg1ot6.exe, 00000000.00000003.290866251.000000000333F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
Source: nji3Lg1ot6.exe, 00000000.00000003.291883164.00000000031A6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
Source: nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
Source: nji3Lg1ot6.exe, 00000001.00000002.345282700.0000000000CAF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
Source: nji3Lg1ot6.exe, 00000001.00000002.345433443.0000000000EAF000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs nji3Lg1ot6.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: nji3Lg1ot6.exe Virustotal: Detection: 37%
Source: nji3Lg1ot6.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe File read: C:\Users\user\Desktop\nji3Lg1ot6.exe Jump to behavior
Source: nji3Lg1ot6.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe File created: C:\Users\user\AppData\Local\Temp\nsx7FAD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/4@4/4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404275
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: msiexec.pdb source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
Source: Binary string: msiexec.pdbGCTL source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: nji3Lg1ot6.exe, 00000000.00000003.294014026.0000000003090000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000000.00000003.290725743.0000000003220000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: nji3Lg1ot6.exe, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_72FB1000 push eax; ret 0_2_72FB102E
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041E9E6 push edx; ret 1_2_0041E9EE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00416B6D push ebx; ret 1_2_00416B85
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041D4F2 push eax; ret 1_2_0041D4F8
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041D4FB push eax; ret 1_2_0041D562
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041D4A5 push eax; ret 1_2_0041D4F8
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041D55C push eax; ret 1_2_0041D562
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0041EEB5 push esi; ret 1_2_0041F0D9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A7D0D1 push ecx; ret 1_2_00A7D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FD0D1 push ecx; ret 7_2_046FD0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DE9E6 push edx; ret 7_2_006DE9EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006D6B6D push ebx; ret 7_2_006D6B85
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DD4FB push eax; ret 7_2_006DD562
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DD4F2 push eax; ret 7_2_006DD4F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DD4A5 push eax; ret 7_2_006DD4F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DD55C push eax; ret 7_2_006DD562
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_006DEEB5 push esi; ret 7_2_006DF0D9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe File created: C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE0
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\msiexec.exe Process created: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6788 Thread sleep time: -56000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6720 Thread sleep time: -46000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00409AA0 rdtsc 1_2_00409AA0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe API coverage: 7.9 %
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 7.4 %
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.303384073.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000003.00000000.327963401.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000003.00000000.327963401.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00409AA0 rdtsc 1_2_00409AA0
Enables debug privileges
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_0019EB1E mov eax, dword ptr fs:[00000030h] 0_2_0019EB1E
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_0019E90A mov eax, dword ptr fs:[00000030h] 0_2_0019E90A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_0019EC4C mov eax, dword ptr fs:[00000030h] 0_2_0019EC4C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_0019EBCF mov eax, dword ptr fs:[00000030h] 0_2_0019EBCF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_0019EC0E mov eax, dword ptr fs:[00000030h] 0_2_0019EC0E
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h] 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h] 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h] 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h] 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h] 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h] 1_2_00A520A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A690AF mov eax, dword ptr fs:[00000030h] 1_2_00A690AF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A5F0BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A5F0BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A5F0BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29080 mov eax, dword ptr fs:[00000030h] 1_2_00A29080
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA3884 mov eax, dword ptr fs:[00000030h] 1_2_00AA3884
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA3884 mov eax, dword ptr fs:[00000030h] 1_2_00AA3884
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4B8E4 mov eax, dword ptr fs:[00000030h] 1_2_00A4B8E4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4B8E4 mov eax, dword ptr fs:[00000030h] 1_2_00A4B8E4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h] 1_2_00A240E1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h] 1_2_00A240E1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h] 1_2_00A240E1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A258EC mov eax, dword ptr fs:[00000030h] 1_2_00A258EC
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ABB8D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00ABB8D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ABB8D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ABB8D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ABB8D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ABB8D0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h] 1_2_00A5002D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h] 1_2_00A5002D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h] 1_2_00A5002D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h] 1_2_00A5002D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h] 1_2_00A5002D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h] 1_2_00A3B02A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h] 1_2_00A3B02A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h] 1_2_00A3B02A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h] 1_2_00A3B02A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h] 1_2_00A4A830
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h] 1_2_00A4A830
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h] 1_2_00A4A830
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h] 1_2_00A4A830
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF4015 mov eax, dword ptr fs:[00000030h] 1_2_00AF4015
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF4015 mov eax, dword ptr fs:[00000030h] 1_2_00AF4015
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h] 1_2_00AA7016
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h] 1_2_00AA7016
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h] 1_2_00AA7016
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF1074 mov eax, dword ptr fs:[00000030h] 1_2_00AF1074
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE2073 mov eax, dword ptr fs:[00000030h] 1_2_00AE2073
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A40050 mov eax, dword ptr fs:[00000030h] 1_2_00A40050
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A40050 mov eax, dword ptr fs:[00000030h] 1_2_00A40050
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A561A0 mov eax, dword ptr fs:[00000030h] 1_2_00A561A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A561A0 mov eax, dword ptr fs:[00000030h] 1_2_00A561A0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AE49A4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AE49A4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AE49A4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AE49A4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA69A6 mov eax, dword ptr fs:[00000030h] 1_2_00AA69A6
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h] 1_2_00AA51BE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h] 1_2_00AA51BE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h] 1_2_00AA51BE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h] 1_2_00AA51BE
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h] 1_2_00A499BF
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5A185 mov eax, dword ptr fs:[00000030h] 1_2_00A5A185
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4C182 mov eax, dword ptr fs:[00000030h] 1_2_00A4C182
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52990 mov eax, dword ptr fs:[00000030h] 1_2_00A52990
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A2B1E1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A2B1E1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A2B1E1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AB41E8 mov eax, dword ptr fs:[00000030h] 1_2_00AB41E8
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h] 1_2_00A44120
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h] 1_2_00A44120
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h] 1_2_00A44120
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h] 1_2_00A44120
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A44120 mov ecx, dword ptr fs:[00000030h] 1_2_00A44120
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5513A mov eax, dword ptr fs:[00000030h] 1_2_00A5513A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5513A mov eax, dword ptr fs:[00000030h] 1_2_00A5513A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h] 1_2_00A29100
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h] 1_2_00A29100
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h] 1_2_00A29100
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2C962 mov eax, dword ptr fs:[00000030h] 1_2_00A2C962
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2B171 mov eax, dword ptr fs:[00000030h] 1_2_00A2B171
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2B171 mov eax, dword ptr fs:[00000030h] 1_2_00A2B171
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4B944 mov eax, dword ptr fs:[00000030h] 1_2_00A4B944
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4B944 mov eax, dword ptr fs:[00000030h] 1_2_00A4B944
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h] 1_2_00A252A5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h] 1_2_00A252A5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h] 1_2_00A252A5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h] 1_2_00A252A5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h] 1_2_00A252A5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A3AAB0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A3AAB0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5FAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A5FAB0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5D294 mov eax, dword ptr fs:[00000030h] 1_2_00A5D294
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5D294 mov eax, dword ptr fs:[00000030h] 1_2_00A5D294
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52AE4 mov eax, dword ptr fs:[00000030h] 1_2_00A52AE4
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52ACB mov eax, dword ptr fs:[00000030h] 1_2_00A52ACB
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A64A2C mov eax, dword ptr fs:[00000030h] 1_2_00A64A2C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A64A2C mov eax, dword ptr fs:[00000030h] 1_2_00A64A2C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h] 1_2_00A4A229
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A38A0A mov eax, dword ptr fs:[00000030h] 1_2_00A38A0A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h] 1_2_00A25210
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A25210 mov ecx, dword ptr fs:[00000030h] 1_2_00A25210
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h] 1_2_00A25210
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h] 1_2_00A25210
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A2AA16
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A2AA16
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A43A1C mov eax, dword ptr fs:[00000030h] 1_2_00A43A1C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEAA16 mov eax, dword ptr fs:[00000030h] 1_2_00AEAA16
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEAA16 mov eax, dword ptr fs:[00000030h] 1_2_00AEAA16
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ADB260 mov eax, dword ptr fs:[00000030h] 1_2_00ADB260
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ADB260 mov eax, dword ptr fs:[00000030h] 1_2_00ADB260
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF8A62 mov eax, dword ptr fs:[00000030h] 1_2_00AF8A62
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A6927A mov eax, dword ptr fs:[00000030h] 1_2_00A6927A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h] 1_2_00A29240
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h] 1_2_00A29240
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h] 1_2_00A29240
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h] 1_2_00A29240
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEEA55 mov eax, dword ptr fs:[00000030h] 1_2_00AEEA55
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AB4257 mov eax, dword ptr fs:[00000030h] 1_2_00AB4257
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h] 1_2_00A54BAD
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h] 1_2_00A54BAD
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h] 1_2_00A54BAD
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF5BA5 mov eax, dword ptr fs:[00000030h] 1_2_00AF5BA5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE138A mov eax, dword ptr fs:[00000030h] 1_2_00AE138A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A31B8F mov eax, dword ptr fs:[00000030h] 1_2_00A31B8F
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A31B8F mov eax, dword ptr fs:[00000030h] 1_2_00A31B8F
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ADD380 mov ecx, dword ptr fs:[00000030h] 1_2_00ADD380
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52397 mov eax, dword ptr fs:[00000030h] 1_2_00A52397
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5B390 mov eax, dword ptr fs:[00000030h] 1_2_00A5B390
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h] 1_2_00A503E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h] 1_2_00A503E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h] 1_2_00A503E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h] 1_2_00A503E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h] 1_2_00A503E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h] 1_2_00A503E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4DBE9 mov eax, dword ptr fs:[00000030h] 1_2_00A4DBE9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA53CA mov eax, dword ptr fs:[00000030h] 1_2_00AA53CA
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA53CA mov eax, dword ptr fs:[00000030h] 1_2_00AA53CA
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE131B mov eax, dword ptr fs:[00000030h] 1_2_00AE131B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A2DB60
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A53B7A mov eax, dword ptr fs:[00000030h] 1_2_00A53B7A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A53B7A mov eax, dword ptr fs:[00000030h] 1_2_00A53B7A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A2DB40
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF8B58 mov eax, dword ptr fs:[00000030h] 1_2_00AF8B58
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2F358 mov eax, dword ptr fs:[00000030h] 1_2_00A2F358
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3849B mov eax, dword ptr fs:[00000030h] 1_2_00A3849B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE14FB mov eax, dword ptr fs:[00000030h] 1_2_00AE14FB
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 1_2_00AA6CF0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 1_2_00AA6CF0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 1_2_00AA6CF0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF8CD6 mov eax, dword ptr fs:[00000030h] 1_2_00AF8CD6
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5BC2C mov eax, dword ptr fs:[00000030h] 1_2_00A5BC2C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AA6C0A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AA6C0A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AA6C0A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AA6C0A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h] 1_2_00AF740D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h] 1_2_00AF740D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h] 1_2_00AF740D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AE1C06
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4746D mov eax, dword ptr fs:[00000030h] 1_2_00A4746D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5A44B mov eax, dword ptr fs:[00000030h] 1_2_00A5A44B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABC450 mov eax, dword ptr fs:[00000030h] 1_2_00ABC450
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABC450 mov eax, dword ptr fs:[00000030h] 1_2_00ABC450
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF05AC mov eax, dword ptr fs:[00000030h] 1_2_00AF05AC
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF05AC mov eax, dword ptr fs:[00000030h] 1_2_00AF05AC
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A535A1 mov eax, dword ptr fs:[00000030h] 1_2_00A535A1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A51DB5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A51DB5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A51DB5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h] 1_2_00A52581
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h] 1_2_00A52581
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h] 1_2_00A52581
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h] 1_2_00A52581
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h] 1_2_00A22D8A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h] 1_2_00A22D8A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h] 1_2_00A22D8A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h] 1_2_00A22D8A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h] 1_2_00A22D8A
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A5FD9B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A5FD9B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A3D5E0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A3D5E0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AEFDE2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AEFDE2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AEFDE2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AEFDE2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AD8DF1 mov eax, dword ptr fs:[00000030h] 1_2_00AD8DF1
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AA6DC9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AA6DC9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AA6DC9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00AA6DC9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AA6DC9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AA6DC9
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A2AD30
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h] 1_2_00A33D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEE539 mov eax, dword ptr fs:[00000030h] 1_2_00AEE539
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF8D34 mov eax, dword ptr fs:[00000030h] 1_2_00AF8D34
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AAA537 mov eax, dword ptr fs:[00000030h] 1_2_00AAA537
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h] 1_2_00A54D3B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h] 1_2_00A54D3B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h] 1_2_00A54D3B
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4C577 mov eax, dword ptr fs:[00000030h] 1_2_00A4C577
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4C577 mov eax, dword ptr fs:[00000030h] 1_2_00A4C577
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A63D43 mov eax, dword ptr fs:[00000030h] 1_2_00A63D43
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA3540 mov eax, dword ptr fs:[00000030h] 1_2_00AA3540
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AD3D40 mov eax, dword ptr fs:[00000030h] 1_2_00AD3D40
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A47D50 mov eax, dword ptr fs:[00000030h] 1_2_00A47D50
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AF0EA5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AF0EA5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AF0EA5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA46A7 mov eax, dword ptr fs:[00000030h] 1_2_00AA46A7
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ABFE87 mov eax, dword ptr fs:[00000030h] 1_2_00ABFE87
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A376E2 mov eax, dword ptr fs:[00000030h] 1_2_00A376E2
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A516E0 mov ecx, dword ptr fs:[00000030h] 1_2_00A516E0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A68EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A68EC7
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A536CC mov eax, dword ptr fs:[00000030h] 1_2_00A536CC
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ADFEC0 mov eax, dword ptr fs:[00000030h] 1_2_00ADFEC0
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF8ED6 mov eax, dword ptr fs:[00000030h] 1_2_00AF8ED6
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2E620 mov eax, dword ptr fs:[00000030h] 1_2_00A2E620
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00ADFE3F mov eax, dword ptr fs:[00000030h] 1_2_00ADFE3F
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h] 1_2_00A2C600
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h] 1_2_00A2C600
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h] 1_2_00A2C600
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A58E00 mov eax, dword ptr fs:[00000030h] 1_2_00A58E00
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AE1608 mov eax, dword ptr fs:[00000030h] 1_2_00AE1608
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5A61C mov eax, dword ptr fs:[00000030h] 1_2_00A5A61C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5A61C mov eax, dword ptr fs:[00000030h] 1_2_00A5A61C
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A3766D mov eax, dword ptr fs:[00000030h] 1_2_00A3766D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A4AE73
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A4AE73
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A4AE73
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A4AE73
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A4AE73
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h] 1_2_00A37E41
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h] 1_2_00A37E41
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h] 1_2_00A37E41
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h] 1_2_00A37E41
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h] 1_2_00A37E41
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h] 1_2_00A37E41
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEAE44 mov eax, dword ptr fs:[00000030h] 1_2_00AEAE44
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AEAE44 mov eax, dword ptr fs:[00000030h] 1_2_00AEAE44
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A38794 mov eax, dword ptr fs:[00000030h] 1_2_00A38794
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h] 1_2_00AA7794
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h] 1_2_00AA7794
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h] 1_2_00AA7794
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A637F5 mov eax, dword ptr fs:[00000030h] 1_2_00A637F5
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A24F2E mov eax, dword ptr fs:[00000030h] 1_2_00A24F2E
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A24F2E mov eax, dword ptr fs:[00000030h] 1_2_00A24F2E
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A5E730 mov eax, dword ptr fs:[00000030h] 1_2_00A5E730
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4B73D mov eax, dword ptr fs:[00000030h] 1_2_00A4B73D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00A4B73D mov eax, dword ptr fs:[00000030h] 1_2_00A4B73D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF070D mov eax, dword ptr fs:[00000030h] 1_2_00AF070D
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_00AF070D mov eax, dword ptr fs:[00000030h] 1_2_00AF070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C746D mov eax, dword ptr fs:[00000030h] 7_2_046C746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473C450 mov eax, dword ptr fs:[00000030h] 7_2_0473C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473C450 mov eax, dword ptr fs:[00000030h] 7_2_0473C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DA44B mov eax, dword ptr fs:[00000030h] 7_2_046DA44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DBC2C mov eax, dword ptr fs:[00000030h] 7_2_046DBC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h] 7_2_04761C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h] 7_2_04726C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h] 7_2_04726C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h] 7_2_04726C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h] 7_2_04726C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477740D mov eax, dword ptr fs:[00000030h] 7_2_0477740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477740D mov eax, dword ptr fs:[00000030h] 7_2_0477740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477740D mov eax, dword ptr fs:[00000030h] 7_2_0477740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h] 7_2_04726CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h] 7_2_04726CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h] 7_2_04726CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047614FB mov eax, dword ptr fs:[00000030h] 7_2_047614FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04778CD6 mov eax, dword ptr fs:[00000030h] 7_2_04778CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B849B mov eax, dword ptr fs:[00000030h] 7_2_046B849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CC577 mov eax, dword ptr fs:[00000030h] 7_2_046CC577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CC577 mov eax, dword ptr fs:[00000030h] 7_2_046CC577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E3D43 mov eax, dword ptr fs:[00000030h] 7_2_046E3D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04723540 mov eax, dword ptr fs:[00000030h] 7_2_04723540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04753D40 mov eax, dword ptr fs:[00000030h] 7_2_04753D40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C7D50 mov eax, dword ptr fs:[00000030h] 7_2_046C7D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04778D34 mov eax, dword ptr fs:[00000030h] 7_2_04778D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0472A537 mov eax, dword ptr fs:[00000030h] 7_2_0472A537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476E539 mov eax, dword ptr fs:[00000030h] 7_2_0476E539
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h] 7_2_046D4D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h] 7_2_046D4D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h] 7_2_046D4D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AAD30 mov eax, dword ptr fs:[00000030h] 7_2_046AAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h] 7_2_046B3D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04758DF1 mov eax, dword ptr fs:[00000030h] 7_2_04758DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BD5E0 mov eax, dword ptr fs:[00000030h] 7_2_046BD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BD5E0 mov eax, dword ptr fs:[00000030h] 7_2_046BD5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0476FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0476FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0476FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0476FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h] 7_2_04726DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h] 7_2_04726DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h] 7_2_04726DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726DC9 mov ecx, dword ptr fs:[00000030h] 7_2_04726DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h] 7_2_04726DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h] 7_2_04726DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D35A1 mov eax, dword ptr fs:[00000030h] 7_2_046D35A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h] 7_2_046D1DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h] 7_2_046D1DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h] 7_2_046D1DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047705AC mov eax, dword ptr fs:[00000030h] 7_2_047705AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047705AC mov eax, dword ptr fs:[00000030h] 7_2_047705AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h] 7_2_046A2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h] 7_2_046A2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h] 7_2_046A2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h] 7_2_046A2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h] 7_2_046A2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h] 7_2_046D2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h] 7_2_046D2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h] 7_2_046D2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h] 7_2_046D2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DFD9B mov eax, dword ptr fs:[00000030h] 7_2_046DFD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DFD9B mov eax, dword ptr fs:[00000030h] 7_2_046DFD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B766D mov eax, dword ptr fs:[00000030h] 7_2_046B766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h] 7_2_046CAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h] 7_2_046CAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h] 7_2_046CAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h] 7_2_046CAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h] 7_2_046CAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h] 7_2_046B7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h] 7_2_046B7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h] 7_2_046B7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h] 7_2_046B7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h] 7_2_046B7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h] 7_2_046B7E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476AE44 mov eax, dword ptr fs:[00000030h] 7_2_0476AE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0476AE44 mov eax, dword ptr fs:[00000030h] 7_2_0476AE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0475FE3F mov eax, dword ptr fs:[00000030h] 7_2_0475FE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AE620 mov eax, dword ptr fs:[00000030h] 7_2_046AE620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h] 7_2_046AC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h] 7_2_046AC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h] 7_2_046AC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D8E00 mov eax, dword ptr fs:[00000030h] 7_2_046D8E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DA61C mov eax, dword ptr fs:[00000030h] 7_2_046DA61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DA61C mov eax, dword ptr fs:[00000030h] 7_2_046DA61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04761608 mov eax, dword ptr fs:[00000030h] 7_2_04761608
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B76E2 mov eax, dword ptr fs:[00000030h] 7_2_046B76E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D16E0 mov ecx, dword ptr fs:[00000030h] 7_2_046D16E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04778ED6 mov eax, dword ptr fs:[00000030h] 7_2_04778ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D36CC mov eax, dword ptr fs:[00000030h] 7_2_046D36CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E8EC7 mov eax, dword ptr fs:[00000030h] 7_2_046E8EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0475FEC0 mov eax, dword ptr fs:[00000030h] 7_2_0475FEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h] 7_2_04770EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h] 7_2_04770EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h] 7_2_04770EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047246A7 mov eax, dword ptr fs:[00000030h] 7_2_047246A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473FE87 mov eax, dword ptr fs:[00000030h] 7_2_0473FE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BFF60 mov eax, dword ptr fs:[00000030h] 7_2_046BFF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04778F6A mov eax, dword ptr fs:[00000030h] 7_2_04778F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BEF40 mov eax, dword ptr fs:[00000030h] 7_2_046BEF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A4F2E mov eax, dword ptr fs:[00000030h] 7_2_046A4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A4F2E mov eax, dword ptr fs:[00000030h] 7_2_046A4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB73D mov eax, dword ptr fs:[00000030h] 7_2_046CB73D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB73D mov eax, dword ptr fs:[00000030h] 7_2_046CB73D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DE730 mov eax, dword ptr fs:[00000030h] 7_2_046DE730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473FF10 mov eax, dword ptr fs:[00000030h] 7_2_0473FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473FF10 mov eax, dword ptr fs:[00000030h] 7_2_0473FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DA70E mov eax, dword ptr fs:[00000030h] 7_2_046DA70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DA70E mov eax, dword ptr fs:[00000030h] 7_2_046DA70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477070D mov eax, dword ptr fs:[00000030h] 7_2_0477070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0477070D mov eax, dword ptr fs:[00000030h] 7_2_0477070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CF716 mov eax, dword ptr fs:[00000030h] 7_2_046CF716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E37F5 mov eax, dword ptr fs:[00000030h] 7_2_046E37F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04727794 mov eax, dword ptr fs:[00000030h] 7_2_04727794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04727794 mov eax, dword ptr fs:[00000030h] 7_2_04727794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04727794 mov eax, dword ptr fs:[00000030h] 7_2_04727794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B8794 mov eax, dword ptr fs:[00000030h] 7_2_046B8794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04771074 mov eax, dword ptr fs:[00000030h] 7_2_04771074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04762073 mov eax, dword ptr fs:[00000030h] 7_2_04762073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C0050 mov eax, dword ptr fs:[00000030h] 7_2_046C0050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C0050 mov eax, dword ptr fs:[00000030h] 7_2_046C0050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D002D mov eax, dword ptr fs:[00000030h] 7_2_046D002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D002D mov eax, dword ptr fs:[00000030h] 7_2_046D002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D002D mov eax, dword ptr fs:[00000030h] 7_2_046D002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D002D mov eax, dword ptr fs:[00000030h] 7_2_046D002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D002D mov eax, dword ptr fs:[00000030h] 7_2_046D002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h] 7_2_046BB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h] 7_2_046BB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h] 7_2_046BB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h] 7_2_046BB02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h] 7_2_046CA830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h] 7_2_046CA830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h] 7_2_046CA830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h] 7_2_046CA830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04774015 mov eax, dword ptr fs:[00000030h] 7_2_04774015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04774015 mov eax, dword ptr fs:[00000030h] 7_2_04774015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04727016 mov eax, dword ptr fs:[00000030h] 7_2_04727016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04727016 mov eax, dword ptr fs:[00000030h] 7_2_04727016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04727016 mov eax, dword ptr fs:[00000030h] 7_2_04727016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A58EC mov eax, dword ptr fs:[00000030h] 7_2_046A58EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8E4 mov eax, dword ptr fs:[00000030h] 7_2_046CB8E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8E4 mov eax, dword ptr fs:[00000030h] 7_2_046CB8E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h] 7_2_046A40E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h] 7_2_046A40E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h] 7_2_046A40E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0473B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473B8D0 mov ecx, dword ptr fs:[00000030h] 7_2_0473B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0473B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0473B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0473B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0473B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E90AF mov eax, dword ptr fs:[00000030h] 7_2_046E90AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h] 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h] 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h] 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h] 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h] 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h] 7_2_046D20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DF0BF mov ecx, dword ptr fs:[00000030h] 7_2_046DF0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DF0BF mov eax, dword ptr fs:[00000030h] 7_2_046DF0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046DF0BF mov eax, dword ptr fs:[00000030h] 7_2_046DF0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046A9080 mov eax, dword ptr fs:[00000030h] 7_2_046A9080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04723884 mov eax, dword ptr fs:[00000030h] 7_2_04723884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04723884 mov eax, dword ptr fs:[00000030h] 7_2_04723884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AC962 mov eax, dword ptr fs:[00000030h] 7_2_046AC962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AB171 mov eax, dword ptr fs:[00000030h] 7_2_046AB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046AB171 mov eax, dword ptr fs:[00000030h] 7_2_046AB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB944 mov eax, dword ptr fs:[00000030h] 7_2_046CB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB944 mov eax, dword ptr fs:[00000030h] 7_2_046CB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h] 7_2_046C4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h] 7_2_046C4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h] 7_2_046C4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h] 7_2_046C4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4120 mov ecx, dword ptr fs:[00000030h] 7_2_046C4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046D513A mov eax, dword ptr fs:[00000030h] 7_2_046D513A
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 1_2_0040ACE0 LdrLoadDll, 1_2_0040ACE0

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.alibabasdeli.com
Source: C:\Windows\explorer.exe Domain query: www.nanasyhogar.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.173.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 50.31.177.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gigasupplies.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 890000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Memory written: C:\Users\user\Desktop\nji3Lg1ot6.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Process created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.322349912.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.373413712.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.297387525.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000003.00000000.311624897.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.330530785.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.314804164.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.303384073.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh
Source: C:\Users\user\Desktop\nji3Lg1ot6.exe Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405AA7

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552997 Sample: nji3Lg1ot6 Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 33 www.mnbvending.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 nji3Lg1ot6.exe 19 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\mtmmtvzho.dll, PE32 11->31 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 nji3Lg1ot6.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 nanasyhogar.com 50.31.177.38, 49793, 80 SERVERCENTRALUS United States 18->35 37 www.alibabasdeli.com 172.67.173.57, 49808, 80 CLOUDFLARENETUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.173.57
 www.alibabasdeli.com United States
13335 CLOUDFLARENETUS true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
50.31.177.38
 nanasyhogar.com United States
23352 SERVERCENTRALUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.mnbvending.com 199.59.243.200 true
www.alibabasdeli.com 172.67.173.57 true
nanasyhogar.com 50.31.177.38 true
shops.myshopify.com 23.227.38.74 true
www.nanasyhogar.com unknown unknown
www.gigasupplies.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf true
  • Avira URL Cloud: safe
 unknown
www.rthearts.com/nk6l/ true
  • Avira URL Cloud: safe
 low
http://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf true
  • Avira URL Cloud: safe
 unknown
http://www.gigasupplies.com/nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf true
  • Avira URL Cloud: safe
 unknown