Loading ...

Play interactive tourEdit tour

Analysis Report 86dXpRWnFG.exe

Overview

General Information

Sample Name:86dXpRWnFG.exe
Analysis ID:320986
MD5:221e46c09eb3440beb5a2256211c3262
SHA1:0f056342e6dffb5c4f3cdd1d7bd4ac5427175be0
SHA256:6ca1b2240b6d547ada7051dc4d0c198517436943ffd7a4d1eebc0bca19ac038a
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 86dXpRWnFG.exe (PID: 204 cmdline: 'C:\Users\user\Desktop\86dXpRWnFG.exe' MD5: 221E46C09EB3440BEB5A2256211C3262)
    • 86dXpRWnFG.exe (PID: 6820 cmdline: C:\Users\user\Desktop\86dXpRWnFG.exe MD5: 221E46C09EB3440BEB5A2256211C3262)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 4616 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 4808 cmdline: /c del 'C:\Users\user\Desktop\86dXpRWnFG.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.86dXpRWnFG.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.86dXpRWnFG.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.86dXpRWnFG.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        9.2.86dXpRWnFG.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.86dXpRWnFG.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: 86dXpRWnFG.exeVirustotal: Detection: 32%Perma Link
          Source: 86dXpRWnFG.exeReversingLabs: Detection: 10%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.785228330.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.914598348.0000000003820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.782865836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.738669459.0000000003659000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.913261174.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.86dXpRWnFG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.86dXpRWnFG.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 86dXpRWnFG.exeJoe Sandbox ML: detected
          Source: 9.2.86dXpRWnFG.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 4x nop then pop edi9_2_0040E451
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi14_2_00F3E451

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49767
          Source: global trafficHTTP traffic detected: GET /ogg/?FdtP=yL0l42d8z4u&JfspOLvH=fOCM8bU6nldV/iwSncfaF5Bzy/lGPGgo/g5DGIZRlu3EMk3UROnm6TGL4YPAlMSLjacD HTTP/1.1Host: www.powderedsilk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogg/?JfspOLvH=+OCwvSqshndtikU4mojjB9YFTo9N+xlFipQY5pDaON76D3kf/3J7hGXS0Ci6kD/8+653&FdtP=yL0l42d8z4u HTTP/1.1Host: www.voetbalvandaag.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.0.217.44 52.0.217.44
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /ogg/?FdtP=yL0l42d8z4u&JfspOLvH=fOCM8bU6nldV/iwSncfaF5Bzy/lGPGgo/g5DGIZRlu3EMk3UROnm6TGL4YPAlMSLjacD HTTP/1.1Host: www.powderedsilk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogg/?JfspOLvH=+OCwvSqshndtikU4mojjB9YFTo9N+xlFipQY5pDaON76D3kf/3J7hGXS0Ci6kD/8+653&FdtP=yL0l42d8z4u HTTP/1.1Host: www.voetbalvandaag.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: msdt.exe, 0000000E.00000002.917025969.0000000005D3F000.00000004.00000001.sdmpString found in binary or memory: <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://ogp.me/ns#"> equals www.facebook.com (Facebook)
          Source: unknownDNS traffic detected: queries for: www.powderedsilk.com
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: msdt.exe, 0000000E.00000002.917025969.0000000005D3F000.00000004.00000001.sdmpString found in binary or memory: http://i.cdnpark.com/themes/registrar/791105.css
          Source: explorer.exe, 0000000A.00000002.915184347.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 86dXpRWnFG.exe, 00000000.00000002.737090679.0000000000D17000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comcomt_
          Source: 86dXpRWnFG.exe, 00000000.00000002.737090679.0000000000D17000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comldva
          Source: 86dXpRWnFG.exe, 00000000.00000002.737090679.0000000000D17000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 86dXpRWnFG.exe, 00000000.00000002.743106815.0000000005690000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.764411646.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msdt.exe, 0000000E.00000002.917025969.0000000005D3F000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.785228330.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.914598348.0000000003820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.782865836.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.738669459.0000000003659000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.913261174.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.86dXpRWnFG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.86dXpRWnFG.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.785228330.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.785228330.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.914598348.0000000003820000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.914598348.0000000003820000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.782865836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.782865836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.738669459.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.738669459.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.913261174.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.913261174.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.86dXpRWnFG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.86dXpRWnFG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.86dXpRWnFG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.86dXpRWnFG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00419D60 NtCreateFile,9_2_00419D60
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00419E10 NtReadFile,9_2_00419E10
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00419E90 NtClose,9_2_00419E90
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00419F40 NtAllocateVirtualMemory,9_2_00419F40
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00419E0A NtReadFile,9_2_00419E0A
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00419E8F NtClose,9_2_00419E8F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389540 NtReadFile,LdrInitializeThunk,14_2_05389540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053895D0 NtClose,LdrInitializeThunk,14_2_053895D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389710 NtQueryInformationToken,LdrInitializeThunk,14_2_05389710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389780 NtMapViewOfSection,LdrInitializeThunk,14_2_05389780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389FE0 NtCreateMutant,LdrInitializeThunk,14_2_05389FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_05389660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389650 NtQueryValueKey,LdrInitializeThunk,14_2_05389650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053896E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_053896E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053896D0 NtCreateKey,LdrInitializeThunk,14_2_053896D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_05389910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053899A0 NtCreateSection,LdrInitializeThunk,14_2_053899A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389860 NtQuerySystemInformation,LdrInitializeThunk,14_2_05389860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389840 NtDelayExecution,LdrInitializeThunk,14_2_05389840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389A50 NtCreateFile,LdrInitializeThunk,14_2_05389A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0538AD30 NtSetContextThread,14_2_0538AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389520 NtWaitForSingleObject,14_2_05389520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389560 NtWriteFile,14_2_05389560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053895F0 NtQueryInformationFile,14_2_053895F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389730 NtQueryVirtualMemory,14_2_05389730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0538A710 NtOpenProcessToken,14_2_0538A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0538A770 NtOpenThread,14_2_0538A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389770 NtSetInformationFile,14_2_05389770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389760 NtOpenProcess,14_2_05389760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053897A0 NtUnmapViewOfSection,14_2_053897A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389610 NtEnumerateValueKey,14_2_05389610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389670 NtQueryInformationProcess,14_2_05389670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389950 NtQueueApcThread,14_2_05389950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053899D0 NtCreateProcessEx,14_2_053899D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389820 NtEnumerateKey,14_2_05389820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0538B040 NtSuspendThread,14_2_0538B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053898A0 NtWriteVirtualMemory,14_2_053898A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053898F0 NtReadVirtualMemory,14_2_053898F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389B00 NtSetValueKey,14_2_05389B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0538A3B0 NtGetContextThread,14_2_0538A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389A20 NtResumeThread,14_2_05389A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389A10 NtQuerySection,14_2_05389A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389A00 NtProtectVirtualMemory,14_2_05389A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05389A80 NtOpenDirectoryObject,14_2_05389A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F49D60 NtCreateFile,14_2_00F49D60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F49E90 NtClose,14_2_00F49E90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F49E10 NtReadFile,14_2_00F49E10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F49F40 NtAllocateVirtualMemory,14_2_00F49F40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F49E8F NtClose,14_2_00F49E8F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F49E0A NtReadFile,14_2_00F49E0A
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 0_2_00225A630_2_00225A63
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 0_2_00AAC2B40_2_00AAC2B4
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 0_2_00AAE6080_2_00AAE608
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 0_2_00AAE6180_2_00AAE618
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041E87B9_2_0041E87B
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00402D889_2_00402D88
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00409E409_2_00409E40
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00409E3B9_2_00409E3B
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041DFAF9_2_0041DFAF
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00E35A639_2_00E35A63
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00E352479_2_00E35247
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05340D2014_2_05340D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05411D5514_2_05411D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05412D0714_2_05412D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_054125DD14_2_054125DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0537258114_2_05372581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0535D5E014_2_0535D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0540D46614_2_0540D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0535841F14_2_0535841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0541DFCE14_2_0541DFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05411FF114_2_05411FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05366E3014_2_05366E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0540D61614_2_0540D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05412EF714_2_05412EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0536412014_2_05364120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0534F90014_2_0534F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0540100214_2_05401002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0541E82414_2_0541E824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_053720A014_2_053720A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0535B09014_2_0535B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_054128EC14_2_054128EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_054120A814_2_054120A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05412B2814_2_05412B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0537EBB014_2_0537EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0540DBD214_2_0540DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_054003DA14_2_054003DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_054122AE14_2_054122AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F32D9014_2_00F32D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F32D8814_2_00F32D88
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F39E4014_2_00F39E40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F39E3B14_2_00F39E3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F32FB014_2_00F32FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4DFAF14_2_00F4DFAF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0534B150 appears 39 times
          Source: 86dXpRWnFG.exe, 00000000.00000002.736228559.000000000030C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVfgwhtwrcepk2.exel% vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exe, 00000000.00000002.737993531.0000000002921000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exe, 00000000.00000002.749362534.0000000006F50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameObowjsde.dll4 vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exe, 00000000.00000002.751018297.0000000007090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exe, 00000009.00000000.735500288.0000000000F1C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVfgwhtwrcepk2.exel% vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exe, 00000009.00000002.790974355.00000000035A0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exe, 00000009.00000002.785970586.0000000001A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 86dXpRWnFG.exe
          Source: 86dXpRWnFG.exeBinary or memory string: OriginalFilenameVfgwhtwrcepk2.exel% vs 86dXpRWnFG.exe
          Source: 00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.785152903.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.914480557.0000000003550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.785228330.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.785228330.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.914598348.0000000003820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.914598348.0000000003820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.782865836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.782865836.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.738669459.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.738669459.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.913261174.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.913261174.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.86dXpRWnFG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.86dXpRWnFG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.86dXpRWnFG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.86dXpRWnFG.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\86dXpRWnFG.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01
          Source: 86dXpRWnFG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 86dXpRWnFG.exeVirustotal: Detection: 32%
          Source: 86dXpRWnFG.exeReversingLabs: Detection: 10%
          Source: unknownProcess created: C:\Users\user\Desktop\86dXpRWnFG.exe 'C:\Users\user\Desktop\86dXpRWnFG.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\86dXpRWnFG.exe C:\Users\user\Desktop\86dXpRWnFG.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\86dXpRWnFG.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess created: C:\Users\user\Desktop\86dXpRWnFG.exe C:\Users\user\Desktop\86dXpRWnFG.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\86dXpRWnFG.exe'Jump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 86dXpRWnFG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 86dXpRWnFG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.758018401.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: 86dXpRWnFG.exe, 00000009.00000002.790974355.00000000035A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 86dXpRWnFG.exe, 00000009.00000002.785970586.0000000001A8F000.00000040.00000001.sdmp, msdt.exe, 0000000E.00000002.915505198.000000000543F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 86dXpRWnFG.exe, 00000009.00000002.785970586.0000000001A8F000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: 86dXpRWnFG.exe, 00000009.00000002.790974355.00000000035A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.758018401.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041797C push ecx; retf 9_2_0041797F
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00417936 push esp; retf 9_2_00417937
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0040E3E7 push ebp; iretd 9_2_0040E3E8
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00417C0D push ss; ret 9_2_00417C13
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041CEB5 push eax; ret 9_2_0041CF08
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041CF6C push eax; ret 9_2_0041CF72
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041CF02 push eax; ret 9_2_0041CF08
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041CF0B push eax; ret 9_2_0041CF72
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041D7C6 push cs; retf 9_2_0041D7C7
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0041678C push 00000050h; retf 9_2_0041678F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0539D0D1 push ecx; ret 14_2_0539D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4797C push ecx; retf 14_2_00F4797F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F47936 push esp; retf 14_2_00F47937
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F3E3E7 push ebp; iretd 14_2_00F3E3E8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F47C0D push ss; ret 14_2_00F47C13
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4CEB5 push eax; ret 14_2_00F4CF08
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4D7C6 push cs; retf 14_2_00F4D7C7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4678C push 00000050h; retf 14_2_00F4678F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4CF6C push eax; ret 14_2_00F4CF72
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4CF02 push eax; ret 14_2_00F4CF08
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00F4CF0B push eax; ret 14_2_00F4CF72
          Source: 86dXpRWnFG.exe, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 86dXpRWnFG.exe, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 0.0.86dXpRWnFG.exe.220000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 0.0.86dXpRWnFG.exe.220000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 0.2.86dXpRWnFG.exe.220000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 0.2.86dXpRWnFG.exe.220000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 9.0.86dXpRWnFG.exe.e30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 9.0.86dXpRWnFG.exe.e30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 9.2.86dXpRWnFG.exe.e30000.1.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 9.2.86dXpRWnFG.exe.e30000.1.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 86dXpRWnFG.exe, 00000000.00000002.749362534.0000000006F50000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEADKCREATEOBJECT("WSCRIPT.SHELL").RUN """
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000F398E4 second address: 0000000000F398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000F39B5E second address: 0000000000F39B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00409A90 rdtsc 9_2_00409A90
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exe TID: 3984Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6360Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 0000000A.00000000.762827387.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.757122057.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: 86dXpRWnFG.exe, 00000000.00000002.749362534.0000000006F50000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000A.00000000.758744895.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.762827387.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000002.922688507.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 0000000A.00000000.757122057.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000A.00000000.763244737.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 0000000A.00000000.757122057.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000000A.00000000.763244737.000000000A716000.00000004.00000001.sdmpBinary or memory string: 0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA^
          Source: explorer.exe, 0000000A.00000000.763244737.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 0000000A.00000000.757122057.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_00409A90 rdtsc 9_2_00409A90
          Source: C:\Users\user\Desktop\86dXpRWnFG.exeCode function: 9_2_0040ACD0 LdrLoadDll,9_2_0040ACD0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_05353D34 mov eax, dword ptr fs:[00000030h]14_2_05353D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0534AD30 mov eax, dword ptr fs:[00000030h]14_2_0534AD30
          Source: C:\Windows\SysWOW64\ms