Loading ...

Play interactive tourEdit tour

Windows Analysis Report S9yf6BkjhTQUbHE.exe

Overview

General Information

Sample Name:S9yf6BkjhTQUbHE.exe
Analysis ID:528622
MD5:812861ad5cbb91bfa01a6a15c2cef128
SHA1:ca092e52319047d609cb6fcca1821a8f873416df
SHA256:a649d216b55b0f0597a16690b8469b6b44b9cdc73560d8237387b2df225ab20b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • S9yf6BkjhTQUbHE.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" MD5: 812861AD5CBB91BFA01A6A15C2CEF128)
    • S9yf6BkjhTQUbHE.exe (PID: 6408 cmdline: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe MD5: 812861AD5CBB91BFA01A6A15C2CEF128)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • msdt.exe (PID: 6472 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6572 cmdline: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
        • 0x16b18:$sqlite3text: 68 38 2A 90 C5
        • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6472

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: S9yf6BkjhTQUbHE.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: S9yf6BkjhTQUbHE.exe, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 4x nop then pop edi1_2_004162EC
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 4x nop then pop edi1_2_0040C41D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi18_2_008E62EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi18_2_008DC41D

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.xn----pl8a630b0whm6t.com
          Source: C:\Windows\explorer.exeDomain query: www.epubgame.net
          Source: C:\Windows\explorer.exeNetwork Connect: 23.106.123.249 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.178.31 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.anamentor.com
          Source: C:\Windows\explorer.exeDomain query: www.fuslonnd.com
          Source: C:\Windows\explorer.exeDomain query: www.annellata.xyz
          Source: C:\Windows\explorer.exeDomain query: www.metricwombat.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.annellata.xyz
          Source: DNS query: www.exploitslozdz.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.peptidepowder.com/czh8/
          Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.106.123.249 23.106.123.249
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 00000012.00000002.519445044.000000000315F000.00000004.00000020.sdmpString found in binary or memory: http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8i
          Source: msdt.exe, 00000012.00000002.521258705.0000000005332000.00000004.00020000.sdmpString found in binary or memory: https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG
          Source: unknownDNS traffic detected: queries for: www.epubgame.net
          Source: global trafficHTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_05525AB00_2_05525AB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_05525AA00_2_05525AA0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041BA221_2_0041BA22
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041C42D1_2_0041C42D
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00408C8D1_2_00408C8D
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00408C901_2_00408C90
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041CFB41_2_0041CFB4
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BF9001_2_010BF900
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182D071_2_01182D07
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B0D201_2_010B0D20
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D41201_2_010D4120
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181D551_2_01181D55
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E25811_2_010E2581
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011825DD1_2_011825DD
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CD5E01_2_010CD5E0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C841F1_2_010C841F
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011710021_2_01171002
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117D4661_2_0117D466
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB0901_2_010CB090
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A01_2_010E20A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011820A81_2_011820A8
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011828EC1_2_011828EC
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182B281_2_01182B28
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EEBB01_2_010EEBB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117DBD21_2_0117DBD2
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181FF11_2_01181FF1
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D6E301_2_010D6E30
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011822AE1_2_011822AE
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182EF71_2_01182EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6D46618_2_04D6D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB841F18_2_04CB841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D725DD18_2_04D725DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBD5E018_2_04CBD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD258118_2_04CD2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71D5518_2_04D71D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72D0718_2_04D72D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA0D2018_2_04CA0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72EF718_2_04D72EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6D61618_2_04D6D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC6E3018_2_04CC6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7DFCE18_2_04D7DFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71FF118_2_04D71FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D728EC18_2_04D728EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB09018_2_04CBB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A018_2_04CD20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D720A818_2_04D720A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6100218_2_04D61002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7E82418_2_04D7E824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA83018_2_04CCA830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAF90018_2_04CAF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC412018_2_04CC4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D722AE18_2_04D722AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D5FA2B18_2_04D5FA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6DBD218_2_04D6DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D603DA18_2_04D603DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDEBB018_2_04CDEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAB4018_2_04CCAB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72B2818_2_04D72B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EBA2218_2_008EBA22
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D8C8D18_2_008D8C8D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D8C9018_2_008D8C90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EC41E18_2_008EC41E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2D8718_2_008D2D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2D9018_2_008D2D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008ECFB418_2_008ECFB4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2FB018_2_008D2FB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: String function: 010BB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04CAB150 appears 54 times
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004185F0 NtCreateFile,1_2_004185F0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004186A0 NtReadFile,1_2_004186A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00418720 NtClose,1_2_00418720
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004187D0 NtAllocateVirtualMemory,1_2_004187D0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041869A NtReadFile,1_2_0041869A
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004187CA NtAllocateVirtualMemory,1_2_004187CA
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_010F9910
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9540 NtReadFile,LdrInitializeThunk,1_2_010F9540
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F99A0 NtCreateSection,LdrInitializeThunk,1_2_010F99A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F95D0 NtClose,LdrInitializeThunk,1_2_010F95D0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9840 NtDelayExecution,LdrInitializeThunk,1_2_010F9840
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_010F9860
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_010F98F0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9710 NtQueryInformationToken,LdrInitializeThunk,1_2_010F9710
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9780 NtMapViewOfSection,LdrInitializeThunk,1_2_010F9780
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_010F97A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9FE0 NtCreateMutant,LdrInitializeThunk,1_2_010F9FE0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_010F9A00
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A20 NtResumeThread,LdrInitializeThunk,1_2_010F9A20
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A50 NtCreateFile,LdrInitializeThunk,1_2_010F9A50
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_010F9660
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_010F96E0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9520 NtWaitForSingleObject,1_2_010F9520
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FAD30 NtSetContextThread,1_2_010FAD30
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9950 NtQueueApcThread,1_2_010F9950
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9560 NtWriteFile,1_2_010F9560
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F99D0 NtCreateProcessEx,1_2_010F99D0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F95F0 NtQueryInformationFile,1_2_010F95F0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9820 NtEnumerateKey,1_2_010F9820
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FB040 NtSuspendThread,1_2_010FB040
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F98A0 NtWriteVirtualMemory,1_2_010F98A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9B00 NtSetValueKey,1_2_010F9B00
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA710 NtOpenProcessToken,1_2_010FA710
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9730 NtQueryVirtualMemory,1_2_010F9730
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9760 NtOpenProcess,1_2_010F9760
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9770 NtSetInformationFile,1_2_010F9770
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA770 NtOpenThread,1_2_010FA770
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA3B0 NtGetContextThread,1_2_010FA3B0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9610 NtEnumerateValueKey,1_2_010F9610
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A10 NtQuerySection,1_2_010F9A10
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9650 NtQueryValueKey,1_2_010F9650
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9670 NtQueryInformationProcess,1_2_010F9670
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A80 NtOpenDirectoryObject,1_2_010F9A80
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F96D0 NtCreateKey,1_2_010F96D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE95D0 NtClose,LdrInitializeThunk,18_2_04CE95D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9540 NtReadFile,LdrInitializeThunk,18_2_04CE9540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE96D0 NtCreateKey,LdrInitializeThunk,18_2_04CE96D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_04CE96E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9650 NtQueryValueKey,LdrInitializeThunk,18_2_04CE9650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04CE9660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk,18_2_04CE9FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk,18_2_04CE9780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk,18_2_04CE9710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9840 NtDelayExecution,LdrInitializeThunk,18_2_04CE9840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk,18_2_04CE9860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE99A0 NtCreateSection,LdrInitializeThunk,18_2_04CE99A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04CE9910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A50 NtCreateFile,LdrInitializeThunk,18_2_04CE9A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE95F0 NtQueryInformationFile,18_2_04CE95F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9560 NtWriteFile,18_2_04CE9560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9520 NtWaitForSingleObject,18_2_04CE9520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEAD30 NtSetContextThread,18_2_04CEAD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9670 NtQueryInformationProcess,18_2_04CE9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9610 NtEnumerateValueKey,18_2_04CE9610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE97A0 NtUnmapViewOfSection,18_2_04CE97A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9760 NtOpenProcess,18_2_04CE9760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA770 NtOpenThread,18_2_04CEA770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9770 NtSetInformationFile,18_2_04CE9770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA710 NtOpenProcessToken,18_2_04CEA710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9730 NtQueryVirtualMemory,18_2_04CE9730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE98F0 NtReadVirtualMemory,18_2_04CE98F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE98A0 NtWriteVirtualMemory,18_2_04CE98A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEB040 NtSuspendThread,18_2_04CEB040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9820 NtEnumerateKey,18_2_04CE9820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE99D0 NtCreateProcessEx,18_2_04CE99D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9950 NtQueueApcThread,18_2_04CE9950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A80 NtOpenDirectoryObject,18_2_04CE9A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A00 NtProtectVirtualMemory,18_2_04CE9A00