Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC_SWIFT-20-11-2021.exe

Overview

General Information

Sample Name:HSBC_SWIFT-20-11-2021.exe
Analysis ID:528767
MD5:3e9bddcd8ede94beb73d43d4d3446fe7
SHA1:27723f2fb360a300df95c22fd1d8353a5d940455
SHA256:4518c17e858eaae9a38cdf5953bd7d0cad3c3fd5fa2b9a5b84e0cad5e8ecfc5e
Tags:exeFormbookHSBC
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC_SWIFT-20-11-2021.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" MD5: 3E9BDDCD8EDE94BEB73D43D4D3446FE7)
    • powershell.exe (PID: 5828 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5576 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4528 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • HSBC_SWIFT-20-11-2021.exe (PID: 6020 cmdline: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe MD5: 3E9BDDCD8EDE94BEB73D43D4D3446FE7)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5868 cmdline: /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 3120 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.164661.com/ntfs/"], "decoy": ["cast-host.com", "sheenwoman.com", "cateringpairs.com", "butikgamis.com", "esd66.com", "beautystaze.com", "findavetnearme.com", "lyketigers.com", "nesboutiqe.com", "jadeutil.com", "survivalfresh.com", "realestatebramlett.com", "glorynap.com", "awards.institute", "huangtapps.com", "beyondwithyou.com", "cryptocustomerhelp.com", "plataformasoma.net", "lstpark.com", "noalareelecionindefinida.com", "supersconti.xyz", "emotors-invoice.com", "adamelsouk.com", "pellondo.com", "itstimewashington.com", "ss9n.xyz", "wecuxs.com", "wonderfulwithyou.com", "livetvnews24.com", "humanblessings.com", "soins-sophro.website", "pailuanshizhi.com", "balanzasdeplataformaperu.com", "wingboxonline.com", "importexportjessi.com", "revenberggmemergencyupgrade.com", "comicvan.com", "docomoaj.xyz", "accelerate6.com", "englishforbreakfast.com", "braapboxclub.com", "damana-vetements.com", "corinnewehby.com", "tonesify.com", "growversa.com", "cemetrasbeautyboutique.com", "newbalancecore.xyz", "cqguipu.com", "vdcasinolinkegit.club", "sednayachts.com", "alinatargetpro.com", "pawcomart.com", "aisle5.store", "dayinburgas.com", "c2batxpvme9ey3poams7369.com", "everythingby-b.com", "laliinparfumeri.com", "ntwapedi.com", "mrbubblesftlauderdale.com", "averiansmom.com", "ipelle.com", "waiting-game.com", "online-security.support", "hartfortlife.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 17 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" , ParentImage: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ParentProcessId: 7156, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp, ProcessId: 4528
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" , ParentImage: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ParentProcessId: 7156, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ProcessId: 5828
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 1972
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe" , ParentImage: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ParentProcessId: 7156, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe, ProcessId: 5828
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823685347918465.5828.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.164661.com/ntfs/"], "decoy": ["cast-host.com", "sheenwoman.com", "cateringpairs.com", "butikgamis.com", "esd66.com", "beautystaze.com", "findavetnearme.com", "lyketigers.com", "nesboutiqe.com", "jadeutil.com", "survivalfresh.com", "realestatebramlett.com", "glorynap.com", "awards.institute", "huangtapps.com", "beyondwithyou.com", "cryptocustomerhelp.com", "plataformasoma.net", "lstpark.com", "noalareelecionindefinida.com", "supersconti.xyz", "emotors-invoice.com", "adamelsouk.com", "pellondo.com", "itstimewashington.com", "ss9n.xyz", "wecuxs.com", "wonderfulwithyou.com", "livetvnews24.com", "humanblessings.com", "soins-sophro.website", "pailuanshizhi.com", "balanzasdeplataformaperu.com", "wingboxonline.com", "importexportjessi.com", "revenberggmemergencyupgrade.com", "comicvan.com", "docomoaj.xyz", "accelerate6.com", "englishforbreakfast.com", "braapboxclub.com", "damana-vetements.com", "corinnewehby.com", "tonesify.com", "growversa.com", "cemetrasbeautyboutique.com", "newbalancecore.xyz", "cqguipu.com", "vdcasinolinkegit.club", "sednayachts.com", "alinatargetpro.com", "pawcomart.com", "aisle5.store", "dayinburgas.com", "c2batxpvme9ey3poams7369.com", "everythingby-b.com", "laliinparfumeri.com", "ntwapedi.com", "mrbubblesftlauderdale.com", "averiansmom.com", "ipelle.com", "waiting-game.com", "online-security.support", "hartfortlife.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORY
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC_SWIFT-20-11-2021.exe, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.164661.com/ntfs/
          Source: explorer.exe, 0000001C.00000000.610554099.000000000600C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000A.00000000.405790270.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.423799260.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.385812561.000000000095C000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.455497902.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475690715.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.625088628.0000000003610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.412407613.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.622812715.0000000000E30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.380797387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.624991985.00000000035E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.385092750.0000000004232000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.432842993.0000000007682000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.476496897.00000000017D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.381918997.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.476370956.0000000001590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C0765F0_2_00C0765F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C077150_2_00C07715
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C05C240_2_00C05C24
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_017282500_2_01728250
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_0172D2E80_2_0172D2E8
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_057890720_2_05789072
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_05785A770_2_05785A77
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_05785AB00_2_05785AB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0040102B8_2_0040102B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004010308_2_00401030
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004161D98_2_004161D9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B9918_2_0041B991
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041CBDA8_2_0041CBDA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00408C6C8_2_00408C6C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00408C708_2_00408C70
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041BDC48_2_0041BDC4
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041C5F78_2_0041C5F7
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00402D878_2_00402D87
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00402D908_2_00402D90
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00402FB08_2_00402FB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA5C248_2_00EA5C24
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA765F8_2_00EA765F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA77158_2_00EA7715
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0189F9008_2_0189F900
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B41208_2_018B4120
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AB0908_2_018AB090
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C20A08_2_018C20A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019620A88_2_019620A8
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019628EC8_2_019628EC
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019510028_2_01951002
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196E8248_2_0196E824
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BA8308_2_018BA830
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018CEBB08_2_018CEBB0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195DBD28_2_0195DBD2
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019503DA8_2_019503DA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01962B288_2_01962B28
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018BAB408_2_018BAB40
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019622AE8_2_019622AE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0194FA2B8_2_0194FA2B
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018C25818_2_018C2581
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_019625DD8_2_019625DD
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018AD5E08_2_018AD5E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01962D078_2_01962D07
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01890D208_2_01890D20
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01961D558_2_01961D55
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018A841F8_2_018A841F
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195D4668_2_0195D466
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0196DFCE8_2_0196DFCE
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01961FF18_2_01961FF1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_01962EF78_2_01962EF7
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0195D6168_2_0195D616
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018B6E308_2_018B6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E1D5520_2_054E1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E2D0720_2_054E2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05410D2020_2_05410D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E25DD20_2_054E25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542D5E020_2_0542D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544258120_2_05442581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DD46620_2_054DD466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542841F20_2_0542841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054EDFCE20_2_054EDFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E1FF120_2_054E1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DD61620_2_054DD616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05436E3020_2_05436E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E2EF720_2_054E2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0541F90020_2_0541F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543412020_2_05434120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054399BF20_2_054399BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D100220_2_054D1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054EE82420_2_054EE824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543A83020_2_0543A830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E28EC20_2_054E28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0542B09020_2_0542B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054420A020_2_054420A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E20A820_2_054E20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0543AB4020_2_0543AB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E2B2820_2_054E2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054D03DA20_2_054D03DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054DDBD220_2_054DDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0544EBB020_2_0544EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054CFA2B20_2_054CFA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054E22AE20_2_054E22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E461D920_2_00E461D9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B99120_2_00E4B991
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4CBDA20_2_00E4CBDA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E38C6C20_2_00E38C6C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E38C7020_2_00E38C70
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4C5F020_2_00E4C5F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E32D8720_2_00E32D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E32D9020_2_00E32D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E32FB020_2_00E32FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0541B150 appears 66 times
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: String function: 0189B150 appears 54 times
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004185D0 NtCreateFile,8_2_004185D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00418680 NtReadFile,8_2_00418680
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00418700 NtClose,8_2_00418700
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004187B0 NtAllocateVirtualMemory,8_2_004187B0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004186FB NtClose,8_2_004186FB
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004187AA NtAllocateVirtualMemory,8_2_004187AA
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D99A0 NtCreateSection,LdrInitializeThunk,8_2_018D99A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_018D9910
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D98F0 NtReadVirtualMemory,LdrInitializeThunk,8_2_018D98F0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9840 NtDelayExecution,LdrInitializeThunk,8_2_018D9840
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_018D9860
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A00 NtProtectVirtualMemory,LdrInitializeThunk,8_2_018D9A00
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A20 NtResumeThread,LdrInitializeThunk,8_2_018D9A20
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A50 NtCreateFile,LdrInitializeThunk,8_2_018D9A50
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D95D0 NtClose,LdrInitializeThunk,8_2_018D95D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9540 NtReadFile,LdrInitializeThunk,8_2_018D9540
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9780 NtMapViewOfSection,LdrInitializeThunk,8_2_018D9780
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D97A0 NtUnmapViewOfSection,LdrInitializeThunk,8_2_018D97A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9FE0 NtCreateMutant,LdrInitializeThunk,8_2_018D9FE0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9710 NtQueryInformationToken,LdrInitializeThunk,8_2_018D9710
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_018D96E0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_018D9660
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D99D0 NtCreateProcessEx,8_2_018D99D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9950 NtQueueApcThread,8_2_018D9950
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D98A0 NtWriteVirtualMemory,8_2_018D98A0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9820 NtEnumerateKey,8_2_018D9820
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DB040 NtSuspendThread,8_2_018DB040
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DA3B0 NtGetContextThread,8_2_018DA3B0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9B00 NtSetValueKey,8_2_018D9B00
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A80 NtOpenDirectoryObject,8_2_018D9A80
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9A10 NtQuerySection,8_2_018D9A10
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D95F0 NtQueryInformationFile,8_2_018D95F0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9520 NtWaitForSingleObject,8_2_018D9520
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DAD30 NtSetContextThread,8_2_018DAD30
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9560 NtWriteFile,8_2_018D9560
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DA710 NtOpenProcessToken,8_2_018DA710
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9730 NtQueryVirtualMemory,8_2_018D9730
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9760 NtOpenProcess,8_2_018D9760
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018DA770 NtOpenThread,8_2_018DA770
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9770 NtSetInformationFile,8_2_018D9770
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D96D0 NtCreateKey,8_2_018D96D0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9610 NtEnumerateValueKey,8_2_018D9610
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9650 NtQueryValueKey,8_2_018D9650
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018D9670 NtQueryInformationProcess,8_2_018D9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459540 NtReadFile,LdrInitializeThunk,20_2_05459540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054595D0 NtClose,LdrInitializeThunk,20_2_054595D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459710 NtQueryInformationToken,LdrInitializeThunk,20_2_05459710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459FE0 NtCreateMutant,LdrInitializeThunk,20_2_05459FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459780 NtMapViewOfSection,LdrInitializeThunk,20_2_05459780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459650 NtQueryValueKey,LdrInitializeThunk,20_2_05459650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459660 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_05459660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054596D0 NtCreateKey,LdrInitializeThunk,20_2_054596D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054596E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_054596E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_05459910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054599A0 NtCreateSection,LdrInitializeThunk,20_2_054599A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459840 NtDelayExecution,LdrInitializeThunk,20_2_05459840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459860 NtQuerySystemInformation,LdrInitializeThunk,20_2_05459860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A50 NtCreateFile,LdrInitializeThunk,20_2_05459A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459560 NtWriteFile,20_2_05459560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459520 NtWaitForSingleObject,20_2_05459520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545AD30 NtSetContextThread,20_2_0545AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054595F0 NtQueryInformationFile,20_2_054595F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459760 NtOpenProcess,20_2_05459760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545A770 NtOpenThread,20_2_0545A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459770 NtSetInformationFile,20_2_05459770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545A710 NtOpenProcessToken,20_2_0545A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459730 NtQueryVirtualMemory,20_2_05459730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054597A0 NtUnmapViewOfSection,20_2_054597A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459670 NtQueryInformationProcess,20_2_05459670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459610 NtEnumerateValueKey,20_2_05459610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459950 NtQueueApcThread,20_2_05459950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054599D0 NtCreateProcessEx,20_2_054599D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545B040 NtSuspendThread,20_2_0545B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459820 NtEnumerateKey,20_2_05459820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054598F0 NtReadVirtualMemory,20_2_054598F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_054598A0 NtWriteVirtualMemory,20_2_054598A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459B00 NtSetValueKey,20_2_05459B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0545A3B0 NtGetContextThread,20_2_0545A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A00 NtProtectVirtualMemory,20_2_05459A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A10 NtQuerySection,20_2_05459A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A20 NtResumeThread,20_2_05459A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_05459A80 NtOpenDirectoryObject,20_2_05459A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E485D0 NtCreateFile,20_2_00E485D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E48680 NtReadFile,20_2_00E48680
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E487B0 NtAllocateVirtualMemory,20_2_00E487B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E48700 NtClose,20_2_00E48700
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E486FB NtClose,20_2_00E486FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E487AA NtAllocateVirtualMemory,20_2_00E487AA
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000000.343003231.0000000000C6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnmanagedMemoryAccess.exe. vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.386918351.0000000006480000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384226199.0000000002FC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000000.00000002.384803178.0000000003FCD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476069084.0000000000F0E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnmanagedMemoryAccess.exe. vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.478771184.0000000001B1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exeBinary or memory string: OriginalFilenameUnmanagedMemoryAccess.exe. vs HSBC_SWIFT-20-11-2021.exe
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: RdffGefdbLSx.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile read: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe:Zone.IdentifierJump to behavior
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmpJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile created: C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4EB8.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@17/12@0/0
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4532:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_01
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeMutant created: \Sessions\1\BaseNamedObjects\GJVbibhyPBlryhb
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addbook.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addbook.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addcustomer.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addbook.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addcustomer.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: views/addbook.baml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: /UnmanagedMemoryAccess;component/views/addcustomer.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: g/UnmanagedMemoryAccess;component/views/addbook.xaml}/UnmanagedMemoryAccess;component/views/borrowfrombookview.xamls/UnmanagedMemoryAccess;component/views/borrowingview.xamlm/UnmanagedMemoryAccess;component/views/changebook.xamlu/UnmanagedMemoryAccess;component/views/changecustomer.xamlq/UnmanagedMemoryAccess;component/views/customerview.xamlu/UnmanagedMemoryAccess;component/views/deletecustomer.xamlk/UnmanagedMemoryAccess;component/views/errorview.xamlo/UnmanagedMemoryAccess;component/views/smallextras.xamlo/UnmanagedMemoryAccess;component/views/addcustomer.xaml
          Source: HSBC_SWIFT-20-11-2021.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HSBC_SWIFT-20-11-2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HSBC_SWIFT-20-11-2021.exe, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.477765474.000000000198F000.00000040.00000001.sdmp, HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.476748444.0000000001870000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000014.00000002.627202964.00000000053F0000.00000040.00000001.sdmp, msdt.exe, 00000014.00000003.475842542.00000000050C0000.00000004.00000001.sdmp, msdt.exe, 00000014.00000002.629817947.000000000550F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HSBC_SWIFT-20-11-2021.exe, 00000008.00000002.479620363.0000000003930000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HSBC_SWIFT-20-11-2021.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: RdffGefdbLSx.exe.0.dr, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HSBC_SWIFT-20-11-2021.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HSBC_SWIFT-20-11-2021.exe.c00000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.2.HSBC_SWIFT-20-11-2021.exe.ea0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 8.0.HSBC_SWIFT-20-11-2021.exe.ea0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C09347 push ds; ret 0_2_00C0934C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C09361 push ds; retf 0_2_00C09364
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_00C092F5 push ds; ret 0_2_00C09340
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 0_2_057856E0 push esp; iretd 0_2_057856E9
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B87C push eax; ret 8_2_0041B882
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B812 push eax; ret 8_2_0041B818
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B81B push eax; ret 8_2_0041B882
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B234 push 00000055h; iretd 8_2_0041B236
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_004154CA pushfd ; retf 8_2_004154D3
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_0041B7C5 push eax; ret 8_2_0041B818
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA92F5 push ds; ret 8_2_00EA9340
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA9361 push ds; retf 8_2_00EA9364
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_00EA9347 push ds; ret 8_2_00EA934C
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeCode function: 8_2_018ED0D1 push ecx; ret 8_2_018ED0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_0546D0D1 push ecx; ret 20_2_0546D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B87C push eax; ret 20_2_00E4B882
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B812 push eax; ret 20_2_00E4B818
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B81B push eax; ret 20_2_00E4B882
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B234 push 00000055h; iretd 20_2_00E4B236
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E454CA pushfd ; retf 20_2_00E454D3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 20_2_00E4B7C5 push eax; ret 20_2_00E4B818
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85580215694
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85580215694
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeFile created: C:\Users\user\AppData\Roaming\RdffGefdbLSx.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RdffGefdbLSx" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB8.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exe"
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HSBC_SWIFT-20-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\W