Loading ...

Play interactive tourEdit tour

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Sample Name:Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Analysis ID:540355
MD5:72a345c95142aee60e7df54b570c2c6b
SHA1:aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
Tags:exeFormbookguloaderxloader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Detected unpacking (changes PE section rights)
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Sigma detected: Suspect Svchost Activity
Yara detected GuLoader
Hides threads from debuggers
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Bank_Transfer_Receipt_Copy_Scan#342 (5).exe (PID: 4360 cmdline: "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe" MD5: 72A345C95142AEE60E7DF54B570C2C6B)
    • nongrav.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)
      • nongrav.exe (PID: 4520 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)
        • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
            • cmd.exe (PID: 5168 cmdline: /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • rundll32.exe (PID: 1096 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x6ac9:$sqlite3step: 68 34 1C 7B E1
      • 0x6bdc:$sqlite3step: 68 34 1C 7B E1
      • 0x6af8:$sqlite3text: 68 38 2A 90 C5
      • 0x6c1d:$sqlite3text: 68 38 2A 90 C5
      • 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
      0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 21 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Suspect Svchost ActivityShow sources
        Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeMetadefender: Detection: 14%Perma Link
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeReversingLabs: Detection: 26%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY
        Multi AV Scanner detection for domain / URLShow sources
        Source: www.thesocialmediacreator.com/i638/Virustotal: Detection: 5%Perma Link
        Machine Learning detection for sampleShow sources
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeJoe Sandbox ML: detected
        Source: 1.2.nongrav.exe.560000.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 22.2.svchost.exe.3f3796c.4.unpackAvira: Label: TR/Dropper.Gen
        Source: 22.2.svchost.exe.3214020.1.unpackAvira: Label: TR/Dropper.Gen
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
        Source: Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
        Source: Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.thesocialmediacreator.com/i638/
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
        Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2
        Source: nongrav.exe, 00000001.00000002.507440632.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F35B88
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_004015E0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAD227
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA9248
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA8F8B
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA969B
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAA67E
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA8049
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAB7B8
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA01F8
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AAC112
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00408C6B
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00408C70
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB922AE
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB92EF7
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAE6E30
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAFEBB0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB91FF1
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB8DBD2
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB92B28
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAF20A0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB920A8
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EADB090
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB928EC
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAD841F
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB81002
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAF2581
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EADD5E0
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB925DD
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAC0D20
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EAE4120
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EACF900
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB92D07
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB91D55
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A5EBB0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A46E30
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A20D20
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A44120
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A2F900
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03AF1D55
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A3B090
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03AE1002
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A3841F
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D3D1FB
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D3C944
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D22FB0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D28C70
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D28C6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D22D90
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D22D87
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: String function: 1EACB150 appears 35 times
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AA9248 NtAllocateVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 1_2_02AACBBD NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00418680 NtReadFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004185D0 NtCreateFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004187B0 NtAllocateVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_0041867C NtCreateFile,NtReadFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00418622 NtCreateFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004185CD NtCreateFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_004187AA NtAllocateVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB096E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A20 NtResumeThread,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB097A0 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB098F0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB099A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09540 NtReadFile,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A80 NtOpenDirectoryObject,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB096D0 NtCreateKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09A10 NtQuerySection,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09610 NtEnumerateValueKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09670 NtQueryInformationProcess,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09650 NtQueryValueKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0A3B0 NtGetContextThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09730 NtQueryVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0A710 NtOpenProcessToken,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09B00 NtSetValueKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0A770 NtOpenThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09770 NtSetInformationFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09760 NtOpenProcess,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB098A0 NtWriteVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09820 NtEnumerateKey,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0B040 NtSuspendThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB095F0 NtQueryInformationFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB099D0 NtCreateProcessEx,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB095D0 NtClose,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB0AD30 NtSetContextThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09520 NtWaitForSingleObject,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09560 NtWriteFile,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_1EB09950 NtQueueApcThread,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_005279BE LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00527AB1 Sleep,NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_005279B9 LdrInitializeThunk,NtProtectVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeCode function: 15_2_00527AE7 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A696D0 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69650 NtQueryValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A699A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A695D0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69540 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A697A0 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6A3B0 NtGetContextThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69730 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69B00 NtSetValueKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6A710 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69760 NtOpenProcess,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69770 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6A770 NtOpenThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A80 NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A20 NtResumeThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A00 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69610 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69A10 NtQuerySection,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69670 NtQueryInformationProcess,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A695F0 NtQueryInformationFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A699D0 NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69520 NtWaitForSingleObject,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6AD30 NtSetContextThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69560 NtWriteFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69950 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A698A0 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A698F0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A69820 NtEnumerateKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_03A6B040 NtSuspendThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D38680 NtReadFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D387B0 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D38700 NtClose,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D385D0 NtCreateFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D3867C NtCreateFile,NtReadFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D38622 NtCreateFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D387AA NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 22_2_02D385CD NtCreateFile,
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 61538 bytes, 1 file
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeProcess Stats: CPU usage > 98%
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeBinary or memory string: OriginalFilename vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000003.294702939.000000000343E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenongrav.exe vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000000.293866460.0000000000F3A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: nongrav.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeMetadefender: Detection: 14%
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeReversingLabs: Detection: 26%
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: unknownProcess created: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
        Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
        Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/1@2/2
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F35849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F33E45 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCode function: 0_2_00F34E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,
        Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exeCommand line argument: Kernel32.dll
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
        Source: Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
        Source: Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
        Source: Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

        Data Obfuscation: