Loading ...

Play interactive tourEdit tour

Analysis Report SWIFT 00395_IMG.exe

Overview

General Information

Sample Name:SWIFT 00395_IMG.exe
Analysis ID:403611
MD5:f19e6012ff248b9b380bb420080258ce
SHA1:317ee43a8116aae39f3de3279620ecff4ac05b2c
SHA256:069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SWIFT 00395_IMG.exe (PID: 7004 cmdline: 'C:\Users\user\Desktop\SWIFT 00395_IMG.exe' MD5: F19E6012FF248B9B380BB420080258CE)
    • svchost.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\SWIFT 00395_IMG.exe' MD5: FA6C268A5B5BDA067A901764D203D433)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 4088 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5936 cmdline: /c del 'C:\Windows\SysWOW64\svchost.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.seroungift.com/bbqo/"], "decoy": ["theinfluenstar.com", "1800quilts.com", "sonsuz-muzik.com", "manilowsmodems.com", "amwajcare.com", "eam.email", "cscosmos.com", "tierraovens.com", "goimtv.com", "checks4d.com", "beijig.com", "szzyhjj.com", "huanchunjx.com", "catqq.one", "vendasuascartas.com", "cannatends.com", "cytotecobatpenggugur.com", "centralvalleypartners4youth.com", "entreforma.com", "azhathai.com", "crickescore.com", "thebestcoffeeshops.com", "melacane.com", "sunrisemoving.net", "hauck-aufhauser.com", "katiacontrerash.com", "lavi3dscans.com", "senmec23.com", "photographerleadmachine.com", "snowtreeendeavor.com", "autosbencar.com", "epoform.com", "kissdstudio.com", "bestdamnseamoss.com", "ksdfp-zvhn.xyz", "cabletvlasvegas.com", "xiangyuwenhua.com", "angiesgourmet.com", "centerplans.com", "xyl.finance", "vivilhavemorgenmadnu.com", "jaynefgulbin.com", "californiahiker.com", "hausofzou.com", "velocischooner.com", "boxj66.com", "theboundless.life", "backroadinc.com", "diemapp.com", "whatismychinesename.com", "sebags.com", "stick.plus", "crwebtech.com", "famefabulous.com", "pubgsetpharaoh.com", "northernbackflow.com", "goportjitney.com", "warzonetracker.net", "homesteaddigestemail.com", "carboncuriosity.com", "sunnahaid.com", "makeoverfurn.com", "captisimaginem.com", "puzed.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.918989444.0000000003110000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.918989444.0000000003110000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.SWIFT 00395_IMG.exe.3040000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.SWIFT 00395_IMG.exe.3040000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.seroungift.com/bbqo/"], "decoy": ["theinfluenstar.com", "1800quilts.com", "sonsuz-muzik.com", "manilowsmodems.com", "amwajcare.com", "eam.email", "cscosmos.com", "tierraovens.com", "goimtv.com", "checks4d.com", "beijig.com", "szzyhjj.com", "huanchunjx.com", "catqq.one", "vendasuascartas.com", "cannatends.com", "cytotecobatpenggugur.com", "centralvalleypartners4youth.com", "entreforma.com", "azhathai.com", "crickescore.com", "thebestcoffeeshops.com", "melacane.com", "sunrisemoving.net", "hauck-aufhauser.com", "katiacontrerash.com", "lavi3dscans.com", "senmec23.com", "photographerleadmachine.com", "snowtreeendeavor.com", "autosbencar.com", "epoform.com", "kissdstudio.com", "bestdamnseamoss.com", "ksdfp-zvhn.xyz", "cabletvlasvegas.com", "xiangyuwenhua.com", "angiesgourmet.com", "centerplans.com", "xyl.finance", "vivilhavemorgenmadnu.com", "jaynefgulbin.com", "californiahiker.com", "hausofzou.com", "velocischooner.com", "boxj66.com", "theboundless.life", "backroadinc.com", "diemapp.com", "whatismychinesename.com", "sebags.com", "stick.plus", "crwebtech.com", "famefabulous.com", "pubgsetpharaoh.com", "northernbackflow.com", "goportjitney.com", "warzonetracker.net", "homesteaddigestemail.com", "carboncuriosity.com", "sunnahaid.com", "makeoverfurn.com", "captisimaginem.com", "puzed.net"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.918989444.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.711497215.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.711385222.0000000000D30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710720815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.665787832.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.917600888.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SWIFT 00395_IMG.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SWIFT 00395_IMG.exe.3040000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SWIFT 00395_IMG.exeJoe Sandbox ML: detected
          Source: 1.2.svchost.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.SWIFT 00395_IMG.exe.3040000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SWIFT 00395_IMG.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: SWIFT 00395_IMG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.688349508.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: svchost.exe, 00000001.00000003.709271951.0000000005400000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SWIFT 00395_IMG.exe, 00000000.00000003.657563874.0000000003200000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.712731644.000000000391F000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.919390874.0000000004EB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SWIFT 00395_IMG.exe, 00000000.00000003.657563874.0000000003200000.00000004.00000001.sdmp, svchost.exe, msdt.exe
          Source: Binary string: svchost.pdb source: msdt.exe, 00000007.00000002.920789443.00000000053E7000.00000004.00000001.sdmp
          Source: Binary string: svchost.pdbUGP source: msdt.exe, 00000007.00000002.920789443.00000000053E7000.00000004.00000001.sdmp
          Source: Binary string: msdt.pdb source: svchost.exe, 00000001.00000003.709271951.0000000005400000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.688349508.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004059F0
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,0_2_0040659C
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeFile opened: C:\Users\user\AppData\Local\Temp\nsuD98F.tmpJump to behavior
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeFile opened: C:\Users\user\AppData\Local\Temp\u2xvckwaqakiJump to behavior
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeFile opened: C:\Users\user\AppData\Local\Temp\jckq5d4hbdkbi4n7hsrJump to behavior
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeFile opened: C:\Users\user\Desktop\SWIFT 00395_IMG.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi1_2_0040C3BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi7_2_00A6C3BE

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49754 -> 45.192.92.174:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49754 -> 45.192.92.174:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49754 -> 45.192.92.174:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 180.150.102.39:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 180.150.102.39:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 180.150.102.39:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49767 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.seroungift.com/bbqo/
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=DAKSku2UP9w0lKXY+LhytUUwyem6IfHDB7QSSdTpSALkSldV/1o9CxHuilJYCYQ/V6tP HTTP/1.1Host: www.thebestcoffeeshops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=trcmmZYAhW1z3xFVKWe7fHl88qCucLFuCi4mCu0pcnYYHjBJZxUhua0G6TwplXUzf90o&Rb=M42dVLz8 HTTP/1.1Host: www.szzyhjj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=XLcvqqeS1lhWgJP77JDDmgANyyJOPhQvBMhs62kpQnu2foMme1WiKofFk1rRWdP6dmuL HTTP/1.1Host: www.puzed.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=gW47Pg8Fo6iIv2ud/64/p2+3hov1DZqi/pO7CWKW8hPHr2u5wHbVWSaPXrsCIEHv8cct&Rb=M42dVLz8 HTTP/1.1Host: www.makeoverfurn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=5cE52+XUn5YOw4VrTBFj5Yjg6Bdl2wnKeIdlDky+FVUstW8yNKK8e4wg1M4nQ/djAnNx HTTP/1.1Host: www.theboundless.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=40XENB+TcZexP2uUOo8nZZ5shhtfu5CrxuaTgdlTMM4sGAobqBEK7c7NHXloi3y0yuoT HTTP/1.1Host: www.northernbackflow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=+83Ad9ys8+FMkuQHLQbEUx121DE/6nLvKA5vTUyMQ3D5zQ4YR59KLRowGPLGetqdy+rw&Rb=M42dVLz8 HTTP/1.1Host: www.crickescore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=/Pkgzq8QL5NAcxZCkuSTp6cwj4lDt7P1w6jr1cEe5khMYSySzdqjBreEbEJxEDRHbmyL&Rb=M42dVLz8 HTTP/1.1Host: www.1800quilts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=OyJvVzFrogId2JmOPk1mxNUaVNmw8U6tV5/SqSy/NPm0fO+yJiD5oYjbB5t0rhfZdAPi HTTP/1.1Host: www.xiangyuwenhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=GhdvojHCfMDRUam/4qOkhbREqNoCRj0dcDXGN06f9NKfhUBJ97Or2+k+J6GDFZvtQIxr&Rb=M42dVLz8 HTTP/1.1Host: www.seroungift.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=YYVXHHveBgSLNZYesnT1AghiVl/Xx3BIBb/tObWwW6qpUDZVV8sOQ19Z9K/TOFaASXJK HTTP/1.1Host: www.carboncuriosity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 85.233.160.23 85.233.160.23
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=DAKSku2UP9w0lKXY+LhytUUwyem6IfHDB7QSSdTpSALkSldV/1o9CxHuilJYCYQ/V6tP HTTP/1.1Host: www.thebestcoffeeshops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=trcmmZYAhW1z3xFVKWe7fHl88qCucLFuCi4mCu0pcnYYHjBJZxUhua0G6TwplXUzf90o&Rb=M42dVLz8 HTTP/1.1Host: www.szzyhjj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=XLcvqqeS1lhWgJP77JDDmgANyyJOPhQvBMhs62kpQnu2foMme1WiKofFk1rRWdP6dmuL HTTP/1.1Host: www.puzed.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=gW47Pg8Fo6iIv2ud/64/p2+3hov1DZqi/pO7CWKW8hPHr2u5wHbVWSaPXrsCIEHv8cct&Rb=M42dVLz8 HTTP/1.1Host: www.makeoverfurn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=5cE52+XUn5YOw4VrTBFj5Yjg6Bdl2wnKeIdlDky+FVUstW8yNKK8e4wg1M4nQ/djAnNx HTTP/1.1Host: www.theboundless.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=40XENB+TcZexP2uUOo8nZZ5shhtfu5CrxuaTgdlTMM4sGAobqBEK7c7NHXloi3y0yuoT HTTP/1.1Host: www.northernbackflow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=+83Ad9ys8+FMkuQHLQbEUx121DE/6nLvKA5vTUyMQ3D5zQ4YR59KLRowGPLGetqdy+rw&Rb=M42dVLz8 HTTP/1.1Host: www.crickescore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=/Pkgzq8QL5NAcxZCkuSTp6cwj4lDt7P1w6jr1cEe5khMYSySzdqjBreEbEJxEDRHbmyL&Rb=M42dVLz8 HTTP/1.1Host: www.1800quilts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=OyJvVzFrogId2JmOPk1mxNUaVNmw8U6tV5/SqSy/NPm0fO+yJiD5oYjbB5t0rhfZdAPi HTTP/1.1Host: www.xiangyuwenhua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?XB64XbO8=GhdvojHCfMDRUam/4qOkhbREqNoCRj0dcDXGN06f9NKfhUBJ97Or2+k+J6GDFZvtQIxr&Rb=M42dVLz8 HTTP/1.1Host: www.seroungift.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bbqo/?Rb=M42dVLz8&XB64XbO8=YYVXHHveBgSLNZYesnT1AghiVl/Xx3BIBb/tObWwW6qpUDZVV8sOQ19Z9K/TOFaASXJK HTTP/1.1Host: www.carboncuriosity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thebestcoffeeshops.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 06:54:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: ApacheVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enExpires: Tue, 04 May 2021 06:54:49 GMTData Raw: 33 64 63 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 6d 77 40 6d 61 72 63 75 73 77 6f 6c 66 66 64 65 73 69 67 6e 2e 63 6f 6d 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0a 0a 3c 2f 70 3e 0a 3c 70 3e 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 6d 77 40 6d 61 72 63 75 73 77 6f 6c 66 66 64 65 73 69 67 6e 2e 63 6f 6d 22 3e 77 65 62 6d 61 73 74 65 72 3c 2f 61 3e 2e 0a 0a 3c 2f 70 3e 0a 0a 3c 68 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 32 3e 0a 3c 61 64 64 72 65 73 73 3e 0a 20 20 3c 6
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SWIFT 00395_IMG.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SWIFT 00395_IMG.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.919974024.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.694149517.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msdt.exe, 00000007.00000002.920833140.0000000005562000.00000004.00000001.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js
          Source: msdt.exe, 00000007.00000002.920833140.0000000005562000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jQuery.serializeObject/2.0.3/jquery.serializeObject.min.js
          Source: msdt.exe, 00000007.00000002.920833140.0000000005562000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/json3/3.3.2/json3.min.js
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040548D

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.918989444.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.711497215.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.711385222.0000000000D30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710720815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.665787832.0000000003040000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.917600888.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SWIFT 00395_IMG.exe.3040000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SWIFT 00395_IMG.exe.3040000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.919033031.0000000003170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.918989444.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.918989444.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.711497215.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.711497215.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.711385222.0000000000D30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.711385222.0000000000D30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.710720815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.710720815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.665787832.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.665787832.0000000003040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.917600888.0000000000A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.917600888.0000000000A60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SWIFT 00395_IMG.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SWIFT 00395_IMG.exe.3040000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SWIFT 00395_IMG.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SWIFT 00395_IMG.exe.3040000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: SWIFT 00395_IMG.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041825A NtReadFile,1_2_0041825A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03869A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869A20 NtResumeThread,LdrInitializeThunk,1_2_03869A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869A50 NtCreateFile,LdrInitializeThunk,1_2_03869A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038699A0 NtCreateSection,LdrInitializeThunk,1_2_038699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03869910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038698F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_038698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869840 NtDelayExecution,LdrInitializeThunk,1_2_03869840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869860 NtQuerySystemInformation,LdrInitializeThunk,1_2_03869860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869780 NtMapViewOfSection,LdrInitializeThunk,1_2_03869780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038697A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_038697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869FE0 NtCreateMutant,LdrInitializeThunk,1_2_03869FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869710 NtQueryInformationToken,LdrInitializeThunk,1_2_03869710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038696E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_038696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03869660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038695D0 NtClose,LdrInitializeThunk,1_2_038695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869540 NtReadFile,LdrInitializeThunk,1_2_03869540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A3B0 NtGetContextThread,1_2_0386A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869B00 NtSetValueKey,1_2_03869B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869A80 NtOpenDirectoryObject,1_2_03869A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869A10 NtQuerySection,1_2_03869A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038699D0 NtCreateProcessEx,1_2_038699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869950 NtQueueApcThread,1_2_03869950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038698A0 NtWriteVirtualMemory,1_2_038698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869820 NtEnumerateKey,1_2_03869820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386B040 NtSuspendThread,1_2_0386B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A710 NtOpenProcessToken,1_2_0386A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869730 NtQueryVirtualMemory,1_2_03869730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869760 NtOpenProcess,1_2_03869760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869770 NtSetInformationFile,1_2_03869770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A770 NtOpenThread,1_2_0386A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038696D0 NtCreateKey,1_2_038696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869610 NtEnumerateValueKey,1_2_03869610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869650 NtQueryValueKey,1_2_03869650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869670 NtQueryInformationProcess,1_2_03869670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038695F0 NtQueryInformationFile,1_2_038695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869520 NtWaitForSingleObject,1_2_03869520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AD30 NtSetContextThread,1_2_0386AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03869560 NtWriteFile,1_2_03869560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F195D0 NtClose,LdrInitializeThunk,7_2_04F195D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19540 NtReadFile,LdrInitializeThunk,7_2_04F19540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F196E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04F196E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F196D0 NtCreateKey,LdrInitializeThunk,7_2_04F196D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04F19660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19650 NtQueryValueKey,LdrInitializeThunk,7_2_04F19650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19FE0 NtCreateMutant,LdrInitializeThunk,7_2_04F19FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19780 NtMapViewOfSection,LdrInitializeThunk,7_2_04F19780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19710 NtQueryInformationToken,LdrInitializeThunk,7_2_04F19710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04F19860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19840 NtDelayExecution,LdrInitializeThunk,7_2_04F19840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F199A0 NtCreateSection,LdrInitializeThunk,7_2_04F199A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04F19910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19A50 NtCreateFile,LdrInitializeThunk,7_2_04F19A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F195F0 NtQueryInformationFile,7_2_04F195F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19560 NtWriteFile,7_2_04F19560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F1AD30 NtSetContextThread,7_2_04F1AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19520 NtWaitForSingleObject,7_2_04F19520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19670 NtQueryInformationProcess,7_2_04F19670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19610 NtEnumerateValueKey,7_2_04F19610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F197A0 NtUnmapViewOfSection,7_2_04F197A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F1A770 NtOpenThread,7_2_04F1A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19770 NtSetInformationFile,7_2_04F19770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19760 NtOpenProcess,7_2_04F19760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19730 NtQueryVirtualMemory,7_2_04F19730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F1A710 NtOpenProcessToken,7_2_04F1A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F198F0 NtReadVirtualMemory,7_2_04F198F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F198A0 NtWriteVirtualMemory,7_2_04F198A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F1B040 NtSuspendThread,7_2_04F1B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19820 NtEnumerateKey,7_2_04F19820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F199D0 NtCreateProcessEx,7_2_04F199D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19950 NtQueueApcThread,7_2_04F19950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19A80 NtOpenDirectoryObject,7_2_04F19A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19A20 NtResumeThread,7_2_04F19A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19A10 NtQuerySection,7_2_04F19A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19A00 NtProtectVirtualMemory,7_2_04F19A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F1A3B0 NtGetContextThread,7_2_04F1A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04F19B00 NtSetValueKey,7_2_04F19B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00A781B0 NtCreateFile,7_2_00A781B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00A782E0 NtClose,7_2_00A782E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00A78260 NtReadFile,7_2_00A78260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00A78390 NtAllocateVirtualMemory,7_2_00A78390
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00A782DA NtClose,7_2_00A782DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00A7825A NtReadFile,7_2_00A7825A
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403461
          Source: C:\Users\user\Desktop\SWIFT 00395_IMG.exeCode function: 0_2_004069250_2_00406925
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041CB2B1_2_0041CB2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408C4B1_2_00408C4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041BC1D1_2_0041BC1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B4931_2_0041B493
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041B4961_2_0041B496
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041BD071_2_0041BD07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041C5291_2_0041C529
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041BE6A1_2_0041BE6A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041C70E1_2_0041C70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EBB01_2_0385EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EDBD21_2_038EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F2B281_2_038F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F22AE1_2_038F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382F9001_2_0382F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038441201_2_03844120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383B0901_2_0383B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038520A01_2_038520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F20A81_2_038F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F28EC1_2_038F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E10021_2_038E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F1FF11_2_038F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F2EF7