Loading ...

Play interactive tourEdit tour

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Sample Name:Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Analysis ID:540355
MD5:72a345c95142aee60e7df54b570c2c6b
SHA1:aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
Tags:exeFormbookguloaderxloader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Detected unpacking (changes PE section rights)
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Sigma detected: Suspect Svchost Activity
Yara detected GuLoader
Hides threads from debuggers
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Bank_Transfer_Receipt_Copy_Scan#342 (5).exe (PID: 4360 cmdline: "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe" MD5: 72A345C95142AEE60E7DF54B570C2C6B)
    • nongrav.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)
      • nongrav.exe (PID: 4520 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)
        • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
            • cmd.exe (PID: 5168 cmdline: /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rundll32.exe (PID: 1096 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x6ac9:$sqlite3step: 68 34 1C 7B E1
      • 0x6bdc:$sqlite3step: 68 34 1C 7B E1
      • 0x6af8:$sqlite3text: 68 38 2A 90 C5
      • 0x6c1d:$sqlite3text: 68 38 2A 90 C5
      • 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
      0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 21 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Suspect Svchost ActivityShow sources
        Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeMetadefender: Detection: 14%Perma Link
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeReversingLabs: Detection: 26%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY
        Multi AV Scanner detection for domain / URLShow sources
        Source: www.thesocialmediacreator.com/i638/Virustotal: Detection: 5%Perma Link
        Machine Learning detection for sampleShow sources
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeJoe Sandbox ML: detected
        Source: 1.2.nongrav.exe.560000.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 22.2.svchost.exe.3f3796c.4.unpackAvira: Label: TR/Dropper.Gen
        Source: 22.2.svchost.exe.3214020.1.unpackAvira: Label: TR/Dropper.Gen
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,0_2_00F32DAE
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
        Source: Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
        Source: Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00F321E7
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi22_2_02D35825

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.thesocialmediacreator.com/i638/
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
        Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2
        Source: nongrav.exe, 00000001.00000002.507440632.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,0_2_00F31DC7
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F35B880_2_00F35B88
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_004015E01_2_004015E0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAD2271_2_02AAD227
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA92481_2_02AA9248
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA8F8B1_2_02AA8F8B
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA969B1_2_02AA969B
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAA67E1_2_02AAA67E
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA80491_2_02AA8049
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAB7B81_2_02AAB7B8
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA01F81_2_02AA01F8
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAC1121_2_02AAC112
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00408C6B15_2_00408C6B
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00408C7015_2_00408C70
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB922AE15_2_1EB922AE
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB92EF715_2_1EB92EF7
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAE6E3015_2_1EAE6E30
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAFEBB015_2_1EAFEBB0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB91FF115_2_1EB91FF1
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB8DBD215_2_1EB8DBD2
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB92B2815_2_1EB92B28
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAF20A015_2_1EAF20A0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB920A815_2_1EB920A8
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EADB09015_2_1EADB090
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB928EC15_2_1EB928EC
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAD841F15_2_1EAD841F
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB8100215_2_1EB81002
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAF258115_2_1EAF2581
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EADD5E015_2_1EADD5E0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB925DD15_2_1EB925DD
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAC0D2015_2_1EAC0D20
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAE412015_2_1EAE4120
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EACF90015_2_1EACF900
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB92D0715_2_1EB92D07
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB91D5515_2_1EB91D55
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A5EBB022_2_03A5EBB0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A46E3022_2_03A46E30
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A20D2022_2_03A20D20
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A4412022_2_03A44120
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A2F90022_2_03A2F900
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03AF1D5522_2_03AF1D55
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A3B09022_2_03A3B090
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03AE100222_2_03AE1002
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A3841F22_2_03A3841F
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D3D1FB22_2_02D3D1FB
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D3C94422_2_02D3C944
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D22FB022_2_02D22FB0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D28C7022_2_02D28C70
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D28C6B22_2_02D28C6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D22D9022_2_02D22D90
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D22D8722_2_02D22D87
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: String function: 1EACB150 appears 35 times
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA9248 NtAllocateVirtualMemory,1_2_02AA9248
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AACBBD NtProtectVirtualMemory,1_2_02AACBBD
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00418680 NtReadFile,15_2_00418680
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004185D0 NtCreateFile,15_2_004185D0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004187B0 NtAllocateVirtualMemory,15_2_004187B0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_0041867C NtCreateFile,NtReadFile,15_2_0041867C
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00418622 NtCreateFile,15_2_00418622
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004185CD NtCreateFile,15_2_004185CD
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004187AA NtAllocateVirtualMemory,15_2_004187AA
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB096E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_1EB096E0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A20 NtResumeThread,LdrInitializeThunk,15_2_1EB09A20
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A00 NtProtectVirtualMemory,LdrInitializeThunk,15_2_1EB09A00
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_1EB09660
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A50 NtCreateFile,LdrInitializeThunk,15_2_1EB09A50
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB097A0 NtUnmapViewOfSection,LdrInitializeThunk,15_2_1EB097A0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09780 NtMapViewOfSection,LdrInitializeThunk,15_2_1EB09780
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09FE0 NtCreateMutant,LdrInitializeThunk,15_2_1EB09FE0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09710 NtQueryInformationToken,LdrInitializeThunk,15_2_1EB09710
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB098F0 NtReadVirtualMemory,LdrInitializeThunk,15_2_1EB098F0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09860 NtQuerySystemInformation,LdrInitializeThunk,15_2_1EB09860
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09840 NtDelayExecution,LdrInitializeThunk,15_2_1EB09840
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB099A0 NtCreateSection,LdrInitializeThunk,15_2_1EB099A0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_1EB09910
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09540 NtReadFile,LdrInitializeThunk,15_2_1EB09540
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A80 NtOpenDirectoryObject,15_2_1EB09A80
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB096D0 NtCreateKey,15_2_1EB096D0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A10 NtQuerySection,15_2_1EB09A10
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09610 NtEnumerateValueKey,15_2_1EB09610
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09670 NtQueryInformationProcess,15_2_1EB09670
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09650 NtQueryValueKey,15_2_1EB09650
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0A3B0 NtGetContextThread,15_2_1EB0A3B0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09730 NtQueryVirtualMemory,15_2_1EB09730
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0A710 NtOpenProcessToken,15_2_1EB0A710
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09B00 NtSetValueKey,15_2_1EB09B00
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0A770 NtOpenThread,15_2_1EB0A770
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09770 NtSetInformationFile,15_2_1EB09770
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09760 NtOpenProcess,15_2_1EB09760
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB098A0 NtWriteVirtualMemory,15_2_1EB098A0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09820 NtEnumerateKey,15_2_1EB09820
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0B040 NtSuspendThread,15_2_1EB0B040
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB095F0 NtQueryInformationFile,15_2_1EB095F0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB099D0 NtCreateProcessEx,15_2_1EB099D0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB095D0 NtClose,15_2_1EB095D0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0AD30 NtSetContextThread,15_2_1EB0AD30
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09520 NtWaitForSingleObject,15_2_1EB09520
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09560 NtWriteFile,15_2_1EB09560
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09950 NtQueueApcThread,15_2_1EB09950
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_005279BE LdrInitializeThunk,NtProtectVirtualMemory,15_2_005279BE
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00527AB1 Sleep,NtProtectVirtualMemory,15_2_00527AB1
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_005279B9 LdrInitializeThunk,NtProtectVirtualMemory,15_2_005279B9
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00527AE7 NtProtectVirtualMemory,15_2_00527AE7
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,22_2_03A69780
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69FE0 NtCreateMutant,LdrInitializeThunk,22_2_03A69FE0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,22_2_03A69710
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,22_2_03A696E0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A696D0 NtCreateKey,LdrInitializeThunk,22_2_03A696D0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,22_2_03A69660
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69650 NtQueryValueKey,LdrInitializeThunk,22_2_03A69650
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A50 NtCreateFile,LdrInitializeThunk,22_2_03A69A50
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A699A0 NtCreateSection,LdrInitializeThunk,22_2_03A699A0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A695D0 NtClose,LdrInitializeThunk,22_2_03A695D0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,22_2_03A69910
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69540 NtReadFile,LdrInitializeThunk,22_2_03A69540
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,22_2_03A69860
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69840 NtDelayExecution,LdrInitializeThunk,22_2_03A69840
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A697A0 NtUnmapViewOfSection,22_2_03A697A0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6A3B0 NtGetContextThread,22_2_03A6A3B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69730 NtQueryVirtualMemory,22_2_03A69730
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69B00 NtSetValueKey,22_2_03A69B00
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6A710 NtOpenProcessToken,22_2_03A6A710
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69760 NtOpenProcess,22_2_03A69760
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69770 NtSetInformationFile,22_2_03A69770
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6A770 NtOpenThread,22_2_03A6A770
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A80 NtOpenDirectoryObject,22_2_03A69A80
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A20 NtResumeThread,22_2_03A69A20
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A00 NtProtectVirtualMemory,22_2_03A69A00
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69610 NtEnumerateValueKey,22_2_03A69610
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A10 NtQuerySection,22_2_03A69A10
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69670 NtQueryInformationProcess,22_2_03A69670
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A695F0 NtQueryInformationFile,22_2_03A695F0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A699D0 NtCreateProcessEx,22_2_03A699D0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69520 NtWaitForSingleObject,22_2_03A69520
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6AD30 NtSetContextThread,22_2_03A6AD30
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69560 NtWriteFile,22_2_03A69560
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69950 NtQueueApcThread,22_2_03A69950
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A698A0 NtWriteVirtualMemory,22_2_03A698A0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A698F0 NtReadVirtualMemory,22_2_03A698F0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69820 NtEnumerateKey,22_2_03A69820
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6B040 NtSuspendThread,22_2_03A6B040
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D38680 NtReadFile,22_2_02D38680
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D387B0 NtAllocateVirtualMemory,22_2_02D387B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D38700 NtClose,22_2_02D38700
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D385D0 NtCreateFile,22_2_02D385D0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D3867C NtCreateFile,NtReadFile,22_2_02D3867C
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D38622 NtCreateFile,22_2_02D38622
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D387AA NtAllocateVirtualMemory,22_2_02D387AA
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D385CD NtCreateFile,22_2_02D385CD
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 61538 bytes, 1 file
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeProcess Stats: CPU usage > 98%
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeBinary or memory string: OriginalFilename vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000003.294702939.000000000343E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenongrav.exe vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000000.293866460.0000000000F3A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: nongrav.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeMetadefender: Detection: 14%
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeReversingLabs: Detection: 26%
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,D