Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Overview

General Information

Sample Name:SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Analysis ID:680484
MD5:47b96215204bad8db8ce43a4685ee74c
SHA1:6b5af0c13af653e5347e1b5e6a7f3bbecee257d5
SHA256:613edebe9f20eff6958bc447fa000388c1b986e1cdb76930ca061d2c92fe952c
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.classicpretty.com/qkkr/"], "decoy": ["7gCdEvi4PU1csVn41UdG95Ufy7SR", "3/kS/9ZgObTlShULwBM8", "UmkOiGYioBlRs12D06oGbv8X", "JHVcqPzZQM4=", "597t26RTZoSV64ak89Q0kUqhiRWZ", "EGeQhlYOeLg5jSU=", "uPMS7r10aXmis6FQ", "bBxVPrS1SNM=", "TGkjh14+21mDz2aAy6gGbv8X", "Jm3QiEjsOJLnDPGK/GhezP9J+w==", "nqvLrZVqboJ018dvX1tvKr8fy7SR", "6TLsXCjsdIRapiVFFW8QLq/Jpyz84bgt", "zAmlDcFiMH2BzqHdfrG10w==", "80byQOwlybg5jSU=", "7+wUCuhxEmJpdn22IQ==", "2BtALhSuf7+qDZLEoxy5YDqSQ7Y=", "Sl3pWETqy+UJZw==", "5O597tysPrbdIcfwRTbC6zqSQ7Y=", "jLnMq5lBKkZChXBmO5s=", "kYuyrH0QySmG5nu1XpW42Q==", "AVBMJBLacrg5jSU=", "A3EiigAN5iQV", "F/sA6K0zGK38TcjqqZf6a/EO", "mO3ly4UvKJ/lKazOfrG10w==", "g5r8xzg9f6x0bHBmO5s=", "/iOw+dqWvwIJZTvwt5b2X+QE", "VpOyflNVFjEf", "GXQWhGozhjmnBet72T7lWsEQ8w==", "rdYUAOqoZ7nfIslcROQt2fE=", "X2RvVx7e62F4x5E4CnV6WsEQ8w==", "0yCtNg7Wcrg5jSU=", "mbPTqHUVyhQpm3BmO5s=", "+kM7JyLOqy5x0YEX4FFtWsEQ8w==", "zzzpWjjD3j6BlWuc/uL7qEOX+qaI", "txIhBcxwTa3+XYzyzJUw2w==", "UVf1TAGb+4XmRb/87Vn5I6DHK9Gb", "NpNAvptlQJ8D2yU3Ft/6a/EO", "4w0O8uNWqzaZ6lNzR+Qt2fE=", "T0/XSzLua7BYvzw=", "AQCJ9bFtcX+S2KNXKQ==", "S6XAupU+A01SrXBmO5s=", "WJvBvpRANTlylxBBJRQj", "Roespn0fNnSis6FQ", "Zl5zgV8FJGthukV331t6WsEQ8w==", "yR+1GPuz6jBXvZc8CfH5tWXFZft+h3kl", "GEdYQw64y+UJZw==", "V1FZLCjxcvJZsZ5efrG10w==", "8xE8RCS8y+UJZw==", "gdDo2JE7Q8srfuoAw6z6a/EO", "ywKjBNd8tKn2FbvOfrG10w==", "MdAFl1EPS0heyzI=", "SZOLcznb1vDhGNuKX1F4F8r4lqQvvQ==", "8RIpGwG+nyBWdn22IQ==", "vxU/Ngu8y+UJZw==", "c5C7l14L4DFQdn22IQ==", "vAftT7Dd5+yadn22IQ==", "aLlEn2PsEmiis6FQ", "2yHKQhapTpn2LLNH", "vLhJvJ5k516vEb73TypG4pEfy7SR", "k+Hy17lycX+S2KNXKQ==", "0NHXxJo7WJqhGrDmvK36a/EO", "3tQjHQW5y+UJZw==", "Yu0MIIV4OYT2LLNH", "aK05uHh9U9cgfg=="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0xdc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x6e27:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x6c25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x66d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x6d27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x6e9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x58ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xc897:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xd9aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x92e9:$sqlite3step: 68 34 1C 7B E1
      • 0x941c:$sqlite3step: 68 34 1C 7B E1
      • 0x932b:$sqlite3text: 68 38 2A 90 C5
      • 0x9473:$sqlite3text: 68 38 2A 90 C5
      • 0x9342:$sqlite3blob: 68 53 D8 7F 8C
      • 0x9495:$sqlite3blob: 68 53 D8 7F 8C
      00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 29 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x57e1:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1ce40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x977f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x16027:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x15e25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x158d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15f27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1609f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x934a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x14aec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa092:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ba97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1cbaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x184e9:$sqlite3step: 68 34 1C 7B E1
          • 0x1861c:$sqlite3step: 68 34 1C 7B E1
          • 0x1852b:$sqlite3text: 68 38 2A 90 C5
          • 0x18673:$sqlite3text: 68 38 2A 90 C5
          • 0x18542:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18695:$sqlite3blob: 68 53 D8 7F 8C
          15.2.NETSTAT.EXE.3a67a24.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeVirustotal: Detection: 40%Perma Link
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeReversingLabs: Detection: 46%
            Yara detected FormBook
            Source: Yara matchFile source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Antivirus detection for URL or domain
            Source: www.classicpretty.com/qkkr/Avira URL Cloud: Label: malware
            Machine Learning detection for sample
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeJoe Sandbox ML: detected
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.classicpretty.com/qkkr/"], "decoy": ["7gCdEvi4PU1csVn41UdG95Ufy7SR", "3/kS/9ZgObTlShULwBM8", "UmkOiGYioBlRs12D06oGbv8X", "JHVcqPzZQM4=", "597t26RTZoSV64ak89Q0kUqhiRWZ", "EGeQhlYOeLg5jSU=", "uPMS7r10aXmis6FQ", "bBxVPrS1SNM=", "TGkjh14+21mDz2aAy6gGbv8X", "Jm3QiEjsOJLnDPGK/GhezP9J+w==", "nqvLrZVqboJ018dvX1tvKr8fy7SR", "6TLsXCjsdIRapiVFFW8QLq/Jpyz84bgt", "zAmlDcFiMH2BzqHdfrG10w==", "80byQOwlybg5jSU=", "7+wUCuhxEmJpdn22IQ==", "2BtALhSuf7+qDZLEoxy5YDqSQ7Y=", "Sl3pWETqy+UJZw==", "5O597tysPrbdIcfwRTbC6zqSQ7Y=", "jLnMq5lBKkZChXBmO5s=", "kYuyrH0QySmG5nu1XpW42Q==", "AVBMJBLacrg5jSU=", "A3EiigAN5iQV", "F/sA6K0zGK38TcjqqZf6a/EO", "mO3ly4UvKJ/lKazOfrG10w==", "g5r8xzg9f6x0bHBmO5s=", "/iOw+dqWvwIJZTvwt5b2X+QE", "VpOyflNVFjEf", "GXQWhGozhjmnBet72T7lWsEQ8w==", "rdYUAOqoZ7nfIslcROQt2fE=", "X2RvVx7e62F4x5E4CnV6WsEQ8w==", "0yCtNg7Wcrg5jSU=", "mbPTqHUVyhQpm3BmO5s=", "+kM7JyLOqy5x0YEX4FFtWsEQ8w==", "zzzpWjjD3j6BlWuc/uL7qEOX+qaI", "txIhBcxwTa3+XYzyzJUw2w==", "UVf1TAGb+4XmRb/87Vn5I6DHK9Gb", "NpNAvptlQJ8D2yU3Ft/6a/EO", "4w0O8uNWqzaZ6lNzR+Qt2fE=", "T0/XSzLua7BYvzw=", "AQCJ9bFtcX+S2KNXKQ==", "S6XAupU+A01SrXBmO5s=", "WJvBvpRANTlylxBBJRQj", "Roespn0fNnSis6FQ", "Zl5zgV8FJGthukV331t6WsEQ8w==", "yR+1GPuz6jBXvZc8CfH5tWXFZft+h3kl", "GEdYQw64y+UJZw==", "V1FZLCjxcvJZsZ5efrG10w==", "8xE8RCS8y+UJZw==", "gdDo2JE7Q8srfuoAw6z6a/EO", "ywKjBNd8tKn2FbvOfrG10w==", "MdAFl1EPS0heyzI=", "SZOLcznb1vDhGNuKX1F4F8r4lqQvvQ==", "8RIpGwG+nyBWdn22IQ==", "vxU/Ngu8y+UJZw==", "c5C7l14L4DFQdn22IQ==", "vAftT7Dd5+yadn22IQ==", "aLlEn2PsEmiis6FQ", "2yHKQhapTpn2LLNH", "vLhJvJ5k516vEb73TypG4pEfy7SR", "k+Hy17lycX+S2KNXKQ==", "0NHXxJo7WJqhGrDmvK36a/EO", "3tQjHQW5y+UJZw==", "Yu0MIIV4OYT2LLNH", "aK05uHh9U9cgfg=="]}
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: netstat.pdbGCTL source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netstat.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Uses netstat to query active network connections and open ports
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Yara detected Generic Downloader
            Source: Yara matchFile source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, type: SAMPLE
            Source: Yara matchFile source: 15.2.NETSTAT.EXE.3a67a24.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.d10000.0.unpack, type: UNPACKEDPE
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.classicpretty.com/qkkr/
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeString found in binary or memory: http://boards.4chan.org/b/
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeString found in binary or memory: http://boards.4chan.org3Retrieving
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeString found in binary or memory: http://images.4chan.org/
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: www.thesnapnsipbottle.com

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: NETSTAT.EXE PID: 5260, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: NETSTAT.EXE PID: 5260, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 0_2_01803DC4
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 0_2_01808458
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B0D20
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D4120
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BF900
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01381D55
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2581
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CD5E0
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C841F
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371002
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CB090
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EEBB0
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D6E30
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: String function: 012BB150 appears 35 times
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F95D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F98F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012FAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9560 NtWriteFile,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012FB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012FA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012FA770 NtOpenThread,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012FA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F96D0 NtCreateKey,
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.491093664.0000000007890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.491770747.0000000007A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.468118041.000000000333C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000000.415017725.0000000000DFB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameICryptoTransf.exe: vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.487937932.0000000007860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000003.451204538.00000000076F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.465937869.0000000001217000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeBinary or memory string: OriginalFilenameICryptoTransf.exe: vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeVirustotal: Detection: 40%
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeReversingLabs: Detection: 46%
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe "C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe"
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@4/1@1/0
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/frmMain.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: netstat.pdbGCTL source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netstat.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/frmMain.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0130D0D1 push ecx; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.5981105192888725

            Hooking and other Techniques for Hiding and Protection

            barindex
            Deletes itself after installation
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile deleted: c:\users\user\desktop\swift transfer (103) __037rtg2050822156____pdf__.exeJump to behavior
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe TID: 5792Thread sleep time: -45877s >= -30000s
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe TID: 2884Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F6DE6 rdtsc
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeAPI coverage: 5.9 %
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeThread delayed: delay time: 45877
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.509018964.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000003.456658745.0000000007970000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: >bHgfs
            Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000007.00000000.509899975.0000000007F8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000007.00000000.545591194.0000000006915000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.554256507.00000000080B1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: explorer.exe, 00000007.00000000.509899975.0000000007F8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F6DE6 rdtsc
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0133A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01388D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01333540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013351BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013805AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013805AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013369A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01368DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013441E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01337016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01337016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01337016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01384015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01384015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0138740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0138740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0138740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01372073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01381074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01333884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01333884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013714FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01388CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0137131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0138070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0138070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01388F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01388B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01385BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01337794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01337794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01337794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0136D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0137138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013353CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013353CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0136FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012D3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012BAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0136B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0136B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01388A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01344257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_013346A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012CAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012EFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0134FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012ED294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012ED294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012C76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012E2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_01388ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_0136FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeCode function: 6_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sample uses process hollowing technique
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 90000
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeMemory written: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeThread register set: target process: 684
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 684
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeProcess created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
            Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.497150687.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.597068063.0000000006100000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.586731988.0000000000E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.661066106.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
            Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.661066106.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Shared Modules            		Path Interception512
            Process Injection            		1
            Masquerading            		OS Credential Dumping121
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Non-Application Layer Protocol            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
            Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Connections Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items13
            Software Packing            		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe40%VirustotalBrowse
            SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe46%ReversingLabsWin32.Spyware.Noon
            SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            shops.myshopify.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            www.classicpretty.com/qkkr/1%VirustotalBrowse
            www.classicpretty.com/qkkr/100%Avira URL Cloudmalware
            http://boards.4chan.org3Retrieving0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            shops.myshopify.com
            		23.227.38.74
            		truefalseunknown
            www.thesnapnsipbottle.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.classicpretty.com/qkkr/true
              • 1%, Virustotal, Browse
              • Avira URL Cloud: malware
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://boards.4chan.org/b/SWIFT Transfer (103) __037RTG2050822156____Pdf__.exefalse
                        		high
                        http://www.fontbureau.com/designers?SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://boards.4chan.org3RetrievingSWIFT Transfer (103) __037RTG2050822156____Pdf__.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://images.4chan.org/SWIFT Transfer (103) __037RTG2050822156____Pdf__.exefalse
                                      		high
                                      http://www.urwpp.deDPleaseSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comSWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:680484
                                      Start date and time: 08/08/202217:21:012022-08-08 17:21:01 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 10s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:18
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@4/1@1/0
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 91.8% (good quality ratio 78.4%)
                                      • Quality average: 70.5%
                                      • Quality standard deviation: 34.4%
                                      HCA Information:
                                      • Successful, ratio: 96%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.152.110.14, 20.54.89.106, 20.223.24.244
                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      17:22:25API Interceptor1x Sleep call for process: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1308
                                      Entropy (8bit):5.345811588615766
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                      MD5:2E016B886BDB8389D2DD0867BE55F87B
                                      SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                      SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                      SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.461302452992026
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
                                      File size:988160
                                      MD5:47b96215204bad8db8ce43a4685ee74c
                                      SHA1:6b5af0c13af653e5347e1b5e6a7f3bbecee257d5
                                      SHA256:613edebe9f20eff6958bc447fa000388c1b986e1cdb76930ca061d2c92fe952c
                                      SHA512:b52c7e468cce2953a3d4880d1b2f8dc147147c8311c6f79b6bd766b67b7f4a1b28f34498bc02341cdcac0a735ecf8d6e78e495991780aa0d72f2acfe4f30f47e
                                      SSDEEP:24576:n6n08/X7tViZ4mMvQQdC6BTe9IbUDHDlF:n6n08/X7tM4m+QQb7UT
                                      TLSH:86259D07AFA43705E4B75BB9DD5B686183F27809717EE3782E905C9B2DFA301D80162B
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.b..............0..:...........E... ...`....@.. .......................`............@................................

                                      File Icon

                                      Icon Hash:c68ce86ecc8c8ac8

                                      Static PE Info

                                      General

                                      Entrypoint:0x4e45e6
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x62F072E8 [Mon Aug 8 02:20:24 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      mov bh, 1Dh
                                      rol dword ptr [esi+ebp*2], 3Bh
                                      or byte ptr [ecx], FFFFFFD9h
                                      inc ebx
                                      or eax, 130476DCh
                                      imul ebp, dword ptr [ebx-3Bh], 17h
                                      mov dl, 4Dh
                                      xchg byte ptr [edx], bl
                                      add eax, B81E4750h
                                      in eax, dx
                                      or byte ptr [esi], ah

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe45940x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000xd4bc.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xe39640xe3a00False0.7369566429846238data7.5981105192888725IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xe60000xd4bc0xd600False0.27655884929906543data3.7576742623203367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xf40000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0xe61280x94a8dBase III DBT, version number 0, next free block index 40
                                      RT_ICON0xef5e00x25a8dBase III DBT, version number 0, next free block index 40
                                      RT_ICON0xf1b980x10a8data
                                      RT_ICON0xf2c500x468GLS_BINARY_LSB_FIRST
                                      RT_GROUP_ICON0xf30c80x3edata
                                      RT_VERSION0xf31180x3a0data

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 8, 2022 17:24:22.907291889 CEST6330153192.168.2.58.8.8.8
                                      Aug 8, 2022 17:24:22.943212032 CEST53633018.8.8.8192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 8, 2022 17:24:22.907291889 CEST192.168.2.58.8.8.80xa5c5Standard query (0)www.thesnapnsipbottle.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 8, 2022 17:24:22.943212032 CEST8.8.8.8192.168.2.50xa5c5No error (0)www.thesnapnsipbottle.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                      Aug 8, 2022 17:24:22.943212032 CEST8.8.8.8192.168.2.50xa5c5No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:22:06
                                      Start date:08/08/2022
                                      Path:C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe"
                                      Imagebase:0xd10000
                                      File size:988160 bytes
                                      MD5 hash:47B96215204BAD8DB8CE43A4685EE74C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:6
                                      Start time:17:22:27
                                      Start date:08/08/2022
                                      Path:C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
                                      Imagebase:0x850000
                                      File size:988160 bytes
                                      MD5 hash:47B96215204BAD8DB8CE43A4685EE74C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      General

                                      Target ID:7
                                      Start time:17:22:33
                                      Start date:08/08/2022
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0x7ff74fc70000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:high

                                      General

                                      Target ID:15
                                      Start time:17:23:44
                                      Start date:08/08/2022
                                      Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                      Imagebase:0x90000
                                      File size:32768 bytes
                                      MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      Disassembly

                                      No disassembly