Loading ...

Play interactive tourEdit tour

Windows Analysis Report HkE0tD0g4NXKJfy.exe

Overview

General Information

Sample Name:HkE0tD0g4NXKJfy.exe
Analysis ID:528615
MD5:fcc2d1cda8d3989feca9c5f5f900e164
SHA1:075de723df172cc93c537d5472ad8025f192ddc8
SHA256:77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HkE0tD0g4NXKJfy.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
    • HkE0tD0g4NXKJfy.exe (PID: 3336 cmdline: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5904 cmdline: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5960

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop ebx7_2_00406AB4
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi7_2_00415760
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi7_2_004157C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx13_2_02D06AB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi13_2_02D157C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi13_2_02D15760

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.platinumcredit.net
          Source: C:\Windows\explorer.exeDomain query: www.thefullfledged.com
          Source: C:\Windows\explorer.exeDomain query: www.jakital.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.xcgtsret.com
          Source: C:\Windows\explorer.exeDomain query: www.suepersoldiers.com
          Source: C:\Windows\explorer.exeDomain query: www.arsels.info
          Source: C:\Windows\explorer.exeDomain query: www.electricatrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.219 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.204.216.132 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.151motors.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.platinumcredit.net/sh5d/
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.219 103.224.212.219
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be73d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:14 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:10:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/
          Source: msdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G
          Source: unknownDNS traffic detected: queries for: www.platinumcredit.net
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C15C240_2_00C15C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013D82500_2_013D8250
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2F80_2_013DD2F8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2E80_2_013DD2E8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BA027_2_0041BA02
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C7C7_2_00408C7C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041CC387_2_0041CC38
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C807_2_00408C80
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041C5297_2_0041C529
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BD307_2_0041BD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D877_2_00402D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E65C247_2_00E65C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EF9007_2_018EF900
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019041207_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB0907_2_018FB090
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A07_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B20A87_2_019B20A8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B28EC7_2_019B28EC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A10027_2_019A1002
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191EBB07_2_0191EBB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019ADBD27_2_019ADBD2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2B287_2_019B2B28
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B22AE7_2_019B22AE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019125817_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B25DD7_2_019B25DD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E07_2_018FD5E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2D077_2_019B2D07
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E0D207_2_018E0D20
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1D557_2_019B1D55
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F841F7_2_018F841F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD4667_2_019AD466
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1FF17_2_019B1FF1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2EF77_2_019B2EF7
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD6167_2_019AD616
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01906E307_2_01906E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED46613_2_047ED466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473841F13_2_0473841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1D5513_2_047F1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04720D2013_2_04720D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2D0713_2_047F2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E013_2_0473D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F25DD13_2_047F25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475258113_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04746E3013_2_04746E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED61613_2_047ED616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2EF713_2_047F2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1FF113_2_047F1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E100213_2_047E1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F28EC13_2_047F28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A013_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F20A813_2_047F20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B09013_2_0473B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474412013_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472F90013_2_0472F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F22AE13_2_047F22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2B2813_2_047F2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EDBD213_2_047EDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475EBB013_2_0475EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02FB013_2_02D02FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C8013_2_02D08C80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C7C13_2_02D08C7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1CC3813_2_02D1CC38
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D9013_2_02D02D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D8713_2_02D02D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: String function: 018EB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0472B150 appears 35 times
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185E0 NtCreateFile,7_2_004185E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418690 NtReadFile,7_2_00418690
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418710 NtClose,7_2_00418710
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187C0 NtAllocateVirtualMemory,7_2_004187C0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185DA NtCreateFile,7_2_004185DA
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041873A NtReadFile,7_2_0041873A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187BC NtAllocateVirtualMemory,7_2_004187BC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299A0 NtCreateSection,LdrInitializeThunk,7_2_019299A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_01929910
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_019298F0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929840 NtDelayExecution,LdrInitializeThunk,7_2_01929840
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929860 NtQuerySystemInformation,LdrInitializeThunk,7_2_01929860
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk,7_2_01929A00
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A20 NtResumeThread,LdrInitializeThunk,7_2_01929A20
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A50 NtCreateFile,LdrInitializeThunk,7_2_01929A50
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295D0 NtClose,LdrInitializeThunk,7_2_019295D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929540 NtReadFile,LdrInitializeThunk,7_2_01929540
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929780 NtMapViewOfSection,LdrInitializeThunk,7_2_01929780
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_019297A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929FE0 NtCreateMutant,LdrInitializeThunk,7_2_01929FE0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929710 NtQueryInformationToken,LdrInitializeThunk,7_2_01929710
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_019296E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_01929660
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299D0 NtCreateProcessEx,7_2_019299D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929950 NtQueueApcThread,7_2_01929950
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298A0 NtWriteVirtualMemory,7_2_019298A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929820 NtEnumerateKey,7_2_01929820
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192B040 NtSuspendThread,7_2_0192B040
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A3B0 NtGetContextThread,7_2_0192A3B0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929B00 NtSetValueKey,7_2_01929B00
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A80 NtOpenDirectoryObject,7_2_01929A80
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A10 NtQuerySection,7_2_01929A10
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295F0 NtQueryInformationFile,7_2_019295F0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192AD30 NtSetContextThread,7_2_0192AD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929520 NtWaitForSingleObject,7_2_01929520
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929560 NtWriteFile,7_2_01929560
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A710 NtOpenProcessToken,7_2_0192A710
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929730 NtQueryVirtualMemory,7_2_01929730
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_