Windows Analysis Report
Bank swift.exe

Overview

General Information

Sample name: Bank swift.exe
Analysis ID: 1540335
MD5: a9a37483725640f15287ebad5eddfabf
SHA1: 9f254db4527381e6496df48b5bf1c3f022cb704b
SHA256: 7485c7b439341ddefbc3a27c36fd79acd5bad67aed05e9ccdaf7689a6d71ab23
Tags: exeuser-abuse_ch
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection

barindex
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}
Source: Bank swift.exe ReversingLabs: Detection: 47%
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Bank swift.exe Joe Sandbox ML: detected
Source: Bank swift.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Bank swift.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cscript.pdbUGP source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: ThGx.pdb source: Bank swift.exe
Source: Binary string: ThGx.pdbSHA256 source: Bank swift.exe
Source: Binary string: wntdll.pdbUGP source: Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Bank swift.exe, Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cscript.pdb source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_00792674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 5_2_00792674
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 4x nop then pop ebx 3_2_00407B1B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop ebx 5_2_02FD7B1B

Networking

barindex
Source: Malware configuration extractor URLs: www.ehills.shop/m25s/
Source: unknown DNS traffic detected: query: www.ntermoney24cad.homes replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.newordforpurpose.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.teamgame-mod.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.39474.club replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ransportationwlsltpro.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.itygatehousing.app replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.tmgl.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.7732.club replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.erkakasrumah.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.araghospitality.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ehills.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ntermoney24cad.homes replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.newordforpurpose.info replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.teamgame-mod.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.39474.club replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ransportationwlsltpro.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.itygatehousing.app replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.tmgl.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.7732.club replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.erkakasrumah.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.araghospitality.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ehills.shop replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.tmgl.bond
Source: global traffic DNS traffic detected: DNS query: www.newordforpurpose.info
Source: global traffic DNS traffic detected: DNS query: www.39474.club
Source: global traffic DNS traffic detected: DNS query: www.itygatehousing.app
Source: global traffic DNS traffic detected: DNS query: www.erkakasrumah.online
Source: global traffic DNS traffic detected: DNS query: www.7732.club
Source: global traffic DNS traffic detected: DNS query: www.ehills.shop
Source: global traffic DNS traffic detected: DNS query: www.teamgame-mod.net
Source: global traffic DNS traffic detected: DNS query: www.araghospitality.net
Source: global traffic DNS traffic detected: DNS query: www.ntermoney24cad.homes
Source: global traffic DNS traffic detected: DNS query: www.ransportationwlsltpro.top
Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000002.4501873324.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000000.2065155899.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4508338906.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2065185621.0000000008890000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.39474.club
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.39474.club/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.39474.club/m25s/www.xewaov.xyz
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.39474.clubReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.52006.club
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.52006.club/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.52006.club/m25s/A
Source: explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.52006.club/m25s/j
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.52006.clubReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.7732.club
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.7732.club/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.7732.club/m25s/www.ehills.shop
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.7732.clubReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.araghospitality.net
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.araghospitality.net/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.araghospitality.net/m25s/www.ntermoney24cad.homes
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.araghospitality.netReferer:
Source: explorer.exe, 00000004.00000000.2069825453.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ax-th-6011838.fyi
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ax-th-6011838.fyi/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ax-th-6011838.fyi/m25s/www.ottah.studio
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ax-th-6011838.fyiReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehills.shop
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehills.shop/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehills.shop/m25s/www.teamgame-mod.net
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ehills.shopReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erkakasrumah.online
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erkakasrumah.online/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erkakasrumah.online/m25s/www.7732.club
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.erkakasrumah.onlineReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itygatehousing.app
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itygatehousing.app/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itygatehousing.app/m25s/www.erkakasrumah.online
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.itygatehousing.appReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.newordforpurpose.info
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.newordforpurpose.info/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.newordforpurpose.info/m25s/www.39474.club
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.newordforpurpose.infoReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ntermoney24cad.homes
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ntermoney24cad.homes/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ntermoney24cad.homes/m25s/www.ransportationwlsltpro.top
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ntermoney24cad.homesReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olnacasinotcs14.top
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olnacasinotcs14.top/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olnacasinotcs14.top/m25s/www.ax-th-6011838.fyi
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.olnacasinotcs14.topReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ottah.studio
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ottah.studio/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ottah.studio/m25s/www.52006.club
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ottah.studioReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ransportationwlsltpro.top
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ransportationwlsltpro.top/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ransportationwlsltpro.top/m25s/www.olnacasinotcs14.top
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ransportationwlsltpro.topReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.teamgame-mod.net
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.teamgame-mod.net/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.teamgame-mod.net/m25s/www.araghospitality.net
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.teamgame-mod.netReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tmgl.bond
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tmgl.bond/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tmgl.bond/m25s/www.newordforpurpose.info
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tmgl.bondReferer:
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xewaov.xyz
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xewaov.xyz/m25s/
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xewaov.xyz/m25s/www.itygatehousing.app
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.xewaov.xyzReferer:
Source: explorer.exe, 00000004.00000002.4514503769.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3833545516.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098917447.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2069010894.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000004.00000000.2063621463.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3099874742.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4505790397.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000002.4510303360.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.2063621463.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4505790397.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000003.3096095397.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4503493727.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2051122346.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3831833887.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000004.00000002.4510303360.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000004.00000002.4510303360.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000004.00000000.2069010894.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4514503769.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon

E-Banking Fraud

barindex
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.4516511425.000000000F271000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Bank swift.exe PID: 5556, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Bank swift.exe PID: 5712, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 6340, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09243BD8 NtQueryInformationProcess, 0_2_09243BD8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09248AB8 NtQueryInformationProcess, 0_2_09248AB8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041A320 NtCreateFile, 3_2_0041A320
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041A3D0 NtReadFile, 3_2_0041A3D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041A450 NtClose, 3_2_0041A450
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041A500 NtAllocateVirtualMemory, 3_2_0041A500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041A44B NtClose, 3_2_0041A44B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041A4FB NtAllocateVirtualMemory, 3_2_0041A4FB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662B60 NtClose,LdrInitializeThunk, 3_2_01662B60
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_01662BF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662AD0 NtReadFile,LdrInitializeThunk, 3_2_01662AD0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662D30 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_01662D30
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662D10 NtMapViewOfSection,LdrInitializeThunk, 3_2_01662D10
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01662DF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662DD0 NtDelayExecution,LdrInitializeThunk, 3_2_01662DD0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_01662C70
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662CA0 NtQueryInformationToken,LdrInitializeThunk, 3_2_01662CA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662F30 NtCreateSection,LdrInitializeThunk, 3_2_01662F30
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662FE0 NtCreateFile,LdrInitializeThunk, 3_2_01662FE0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662FB0 NtResumeThread,LdrInitializeThunk, 3_2_01662FB0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662F90 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_01662F90
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_01662EA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662E80 NtReadVirtualMemory,LdrInitializeThunk, 3_2_01662E80
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01664340 NtSetContextThread, 3_2_01664340
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01664650 NtSuspendThread, 3_2_01664650
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662BE0 NtQueryValueKey, 3_2_01662BE0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662BA0 NtEnumerateValueKey, 3_2_01662BA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662B80 NtQueryInformationFile, 3_2_01662B80
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662AF0 NtWriteFile, 3_2_01662AF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662AB0 NtWaitForSingleObject, 3_2_01662AB0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662D00 NtSetInformationFile, 3_2_01662D00
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662DB0 NtEnumerateKey, 3_2_01662DB0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662C60 NtCreateKey, 3_2_01662C60
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662C00 NtQueryInformationProcess, 3_2_01662C00
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662CF0 NtOpenProcess, 3_2_01662CF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662CC0 NtQueryVirtualMemory, 3_2_01662CC0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662F60 NtCreateProcessEx, 3_2_01662F60
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662FA0 NtQuerySection, 3_2_01662FA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662E30 NtWriteVirtualMemory, 3_2_01662E30
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662EE0 NtQueueApcThread, 3_2_01662EE0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01663010 NtOpenDirectoryObject, 3_2_01663010
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01663090 NtSetValueKey, 3_2_01663090
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016635C0 NtCreateMutant, 3_2_016635C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016639B0 NtGetContextThread, 3_2_016639B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01663D70 NtOpenThread, 3_2_01663D70
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01663D10 NtOpenProcessToken, 3_2_01663D10
Source: C:\Windows\explorer.exe Code function: 4_2_0F259232 NtCreateFile, 4_2_0F259232
Source: C:\Windows\explorer.exe Code function: 4_2_0F25AE12 NtProtectVirtualMemory, 4_2_0F25AE12
Source: C:\Windows\explorer.exe Code function: 4_2_0F25AE0A NtProtectVirtualMemory, 4_2_0F25AE0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_05532D10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532DD0 NtDelayExecution,LdrInitializeThunk, 5_2_05532DD0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_05532DF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_05532C70
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532C60 NtCreateKey,LdrInitializeThunk, 5_2_05532C60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_05532CA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532F30 NtCreateSection,LdrInitializeThunk, 5_2_05532F30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532FE0 NtCreateFile,LdrInitializeThunk, 5_2_05532FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_05532EA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532B60 NtClose,LdrInitializeThunk, 5_2_05532B60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_05532BF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_05532BE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532AD0 NtReadFile,LdrInitializeThunk, 5_2_05532AD0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055335C0 NtCreateMutant,LdrInitializeThunk, 5_2_055335C0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05534650 NtSuspendThread, 5_2_05534650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05534340 NtSetContextThread, 5_2_05534340
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532D00 NtSetInformationFile, 5_2_05532D00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532D30 NtUnmapViewOfSection, 5_2_05532D30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532DB0 NtEnumerateKey, 5_2_05532DB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532C00 NtQueryInformationProcess, 5_2_05532C00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532CC0 NtQueryVirtualMemory, 5_2_05532CC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532CF0 NtOpenProcess, 5_2_05532CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532F60 NtCreateProcessEx, 5_2_05532F60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532F90 NtProtectVirtualMemory, 5_2_05532F90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532FB0 NtResumeThread, 5_2_05532FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532FA0 NtQuerySection, 5_2_05532FA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532E30 NtWriteVirtualMemory, 5_2_05532E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532EE0 NtQueueApcThread, 5_2_05532EE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532E80 NtReadVirtualMemory, 5_2_05532E80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532B80 NtQueryInformationFile, 5_2_05532B80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532BA0 NtEnumerateValueKey, 5_2_05532BA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532AF0 NtWriteFile, 5_2_05532AF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05532AB0 NtWaitForSingleObject, 5_2_05532AB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05533010 NtOpenDirectoryObject, 5_2_05533010
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05533090 NtSetValueKey, 5_2_05533090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05533D70 NtOpenThread, 5_2_05533D70
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05533D10 NtOpenProcessToken, 5_2_05533D10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055339B0 NtGetContextThread, 5_2_055339B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEA3D0 NtReadFile, 5_2_02FEA3D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEA320 NtCreateFile, 5_2_02FEA320
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEA450 NtClose, 5_2_02FEA450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEA500 NtAllocateVirtualMemory, 5_2_02FEA500
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEA4FB NtAllocateVirtualMemory, 5_2_02FEA4FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEA44B NtClose, 5_2_02FEA44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053BA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 5_2_053BA036
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 5_2_053B9BAF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053BA042 NtQueryInformationProcess, 5_2_053BA042
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 5_2_053B9BB2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_0175D5FC 0_2_0175D5FC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_0175B8C8 0_2_0175B8C8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_056AC308 0_2_056AC308
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_056AEE50 0_2_056AEE50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_056A08E0 0_2_056A08E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_056A08F0 0_2_056A08F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_056A08B7 0_2_056A08B7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A01788 0_2_07A01788
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A037F0 0_2_07A037F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A00F28 0_2_07A00F28
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A01BC0 0_2_07A01BC0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A01360 0_2_07A01360
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09244B38 0_2_09244B38
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09245E08 0_2_09245E08
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09244B28 0_2_09244B28
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09247A8A 0_2_09247A8A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09245DF8 0_2_09245DF8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09248C31 0_2_09248C31
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09247EC0 0_2_09247EC0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09248390 0_2_09248390
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_0924A4E8 0_2_0924A4E8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_0924A4D8 0_2_0924A4D8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_0924A748 0_2_0924A748
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_0924A758 0_2_0924A758
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041D904 3_2_0041D904
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041DBD7 3_2_0041DBD7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041E541 3_2_0041E541
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041D566 3_2_0041D566
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00409E4B 3_2_00409E4B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00409E50 3_2_00409E50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041E7A9 3_2_0041E7A9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B8158 3_2_016B8158
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620100 3_2_01620100
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CA118 3_2_016CA118
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E81CC 3_2_016E81CC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F01AA 3_2_016F01AA
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E41A2 3_2_016E41A2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EA352 3_2_016EA352
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F03E6 3_2_016F03E6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E3F0 3_2_0163E3F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B02C0 3_2_016B02C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F0591 3_2_016F0591
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E2446 3_2_016E2446
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D4420 3_2_016D4420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DE4F6 3_2_016DE4F6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01654750 3_2_01654750
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162C7C0 3_2_0162C7C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164C6E0 3_2_0164C6E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01646962 3_2_01646962
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016FA9A6 3_2_016FA9A6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163A840 3_2_0163A840
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01632840 3_2_01632840
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E8F0 3_2_0165E8F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016168B8 3_2_016168B8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EAB40 3_2_016EAB40
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E6BD7 3_2_016E6BD7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162EA80 3_2_0162EA80
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163AD00 3_2_0163AD00
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CCD1F 3_2_016CCD1F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162ADE0 3_2_0162ADE0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01648DBF 3_2_01648DBF
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630C00 3_2_01630C00
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620CF2 3_2_01620CF2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0CB5 3_2_016D0CB5
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A4F40 3_2_016A4F40
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01672F28 3_2_01672F28
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01650F30 3_2_01650F30
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D2F30 3_2_016D2F30
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163CFE0 3_2_0163CFE0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01622FC8 3_2_01622FC8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AEFA0 3_2_016AEFA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630E59 3_2_01630E59
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EEE26 3_2_016EEE26
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EEEDB 3_2_016EEEDB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642E90 3_2_01642E90
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016ECE93 3_2_016ECE93
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016FB16B 3_2_016FB16B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0166516C 3_2_0166516C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161F172 3_2_0161F172
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163B1B0 3_2_0163B1B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E70E9 3_2_016E70E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EF0E0 3_2_016EF0E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DF0CC 3_2_016DF0CC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016370C0 3_2_016370C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161D34C 3_2_0161D34C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E132D 3_2_016E132D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0167739A 3_2_0167739A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D12ED 3_2_016D12ED
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164B2C0 3_2_0164B2C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016352A0 3_2_016352A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E7571 3_2_016E7571
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F95C3 3_2_016F95C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CD5B0 3_2_016CD5B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01621460 3_2_01621460
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EF43F 3_2_016EF43F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EF7B0 3_2_016EF7B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01675630 3_2_01675630
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E16CC 3_2_016E16CC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01639950 3_2_01639950
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164B950 3_2_0164B950
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C5910 3_2_016C5910
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169D800 3_2_0169D800
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016338E0 3_2_016338E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EFB76 3_2_016EFB76
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A5BF0 3_2_016A5BF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0166DBF9 3_2_0166DBF9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164FB80 3_2_0164FB80
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A3A6C 3_2_016A3A6C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EFA49 3_2_016EFA49
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E7A46 3_2_016E7A46
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DDAC6 3_2_016DDAC6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CDAAC 3_2_016CDAAC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01675AA0 3_2_01675AA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D1AA3 3_2_016D1AA3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E7D73 3_2_016E7D73
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01633D40 3_2_01633D40
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E1D5A 3_2_016E1D5A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164FDC0 3_2_0164FDC0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A9C32 3_2_016A9C32
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EFCF2 3_2_016EFCF2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EFF09 3_2_016EFF09
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EFFB1 3_2_016EFFB1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01631F92 3_2_01631F92
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01639EB0 3_2_01639EB0
Source: C:\Windows\explorer.exe Code function: 4_2_0F259232 4_2_0F259232
Source: C:\Windows\explorer.exe Code function: 4_2_0F253B30 4_2_0F253B30
Source: C:\Windows\explorer.exe Code function: 4_2_0F253B32 4_2_0F253B32
Source: C:\Windows\explorer.exe Code function: 4_2_0F250D02 4_2_0F250D02
Source: C:\Windows\explorer.exe Code function: 4_2_0F256912 4_2_0F256912
Source: C:\Windows\explorer.exe Code function: 4_2_0F25C5CD 4_2_0F25C5CD
Source: C:\Windows\explorer.exe Code function: 4_2_0F258036 4_2_0F258036
Source: C:\Windows\explorer.exe Code function: 4_2_0F24F082 4_2_0F24F082
Source: C:\Windows\explorer.exe Code function: 4_2_10AD1082 4_2_10AD1082
Source: C:\Windows\explorer.exe Code function: 4_2_10ADA036 4_2_10ADA036
Source: C:\Windows\explorer.exe Code function: 4_2_10ADE5CD 4_2_10ADE5CD
Source: C:\Windows\explorer.exe Code function: 4_2_10AD2D02 4_2_10AD2D02
Source: C:\Windows\explorer.exe Code function: 4_2_10AD8912 4_2_10AD8912
Source: C:\Windows\explorer.exe Code function: 4_2_10ADB232 4_2_10ADB232
Source: C:\Windows\explorer.exe Code function: 4_2_10AD5B30 4_2_10AD5B30
Source: C:\Windows\explorer.exe Code function: 4_2_10AD5B32 4_2_10AD5B32
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_00787110 5_2_00787110
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05500535 5_2_05500535
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055C0591 5_2_055C0591
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B2446 5_2_055B2446
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055A4420 5_2_055A4420
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055AE4F6 5_2_055AE4F6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05524750 5_2_05524750
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05500770 5_2_05500770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054FC7C0 5_2_054FC7C0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0551C6E0 5_2_0551C6E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05588158 5_2_05588158
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0559A118 5_2_0559A118
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054F0100 5_2_054F0100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B81CC 5_2_055B81CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055C01AA 5_2_055C01AA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B41A2 5_2_055B41A2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05592000 5_2_05592000
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BA352 5_2_055BA352
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0550E3F0 5_2_0550E3F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055C03E6 5_2_055C03E6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055A0274 5_2_055A0274
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055802C0 5_2_055802C0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0559CD1F 5_2_0559CD1F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0550AD00 5_2_0550AD00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054FADE0 5_2_054FADE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05518DBF 5_2_05518DBF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05500C00 5_2_05500C00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054F0CF2 5_2_054F0CF2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055A0CB5 5_2_055A0CB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05574F40 5_2_05574F40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05520F30 5_2_05520F30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055A2F30 5_2_055A2F30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05542F28 5_2_05542F28
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054F2FC8 5_2_054F2FC8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0550CFE0 5_2_0550CFE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0557EFA0 5_2_0557EFA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05500E59 5_2_05500E59
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BEE26 5_2_055BEE26
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BEEDB 5_2_055BEEDB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05512E90 5_2_05512E90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BCE93 5_2_055BCE93
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05516962 5_2_05516962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055029A0 5_2_055029A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055CA9A6 5_2_055CA9A6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0550A840 5_2_0550A840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05502840 5_2_05502840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0552E8F0 5_2_0552E8F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054E68B8 5_2_054E68B8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BAB40 5_2_055BAB40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B6BD7 5_2_055B6BD7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054FEA80 5_2_054FEA80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B7571 5_2_055B7571
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0559D5B0 5_2_0559D5B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054F1460 5_2_054F1460
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BF43F 5_2_055BF43F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BF7B0 5_2_055BF7B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05545630 5_2_05545630
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B16CC 5_2_055B16CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055CB16B 5_2_055CB16B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054EF172 5_2_054EF172
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0553516C 5_2_0553516C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0550B1B0 5_2_0550B1B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055070C0 5_2_055070C0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055AF0CC 5_2_055AF0CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B70E9 5_2_055B70E9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BF0E0 5_2_055BF0E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054ED34C 5_2_054ED34C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B132D 5_2_055B132D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0554739A 5_2_0554739A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0551B2C0 5_2_0551B2C0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055A12ED 5_2_055A12ED
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055052A0 5_2_055052A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B1D5A 5_2_055B1D5A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05503D40 5_2_05503D40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B7D73 5_2_055B7D73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0551FDC0 5_2_0551FDC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05579C32 5_2_05579C32
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BFCF2 5_2_055BFCF2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BFF09 5_2_055BFF09
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05501F92 5_2_05501F92
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BFFB1 5_2_055BFFB1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05509EB0 5_2_05509EB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05509950 5_2_05509950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0551B950 5_2_0551B950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05595910 5_2_05595910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0556D800 5_2_0556D800
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055038E0 5_2_055038E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BFB76 5_2_055BFB76
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05575BF0 5_2_05575BF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0553DBF9 5_2_0553DBF9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0551FB80 5_2_0551FB80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055BFA49 5_2_055BFA49
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055B7A46 5_2_055B7A46
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05573A6C 5_2_05573A6C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055ADAC6 5_2_055ADAC6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_05545AA0 5_2_05545AA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0559DAAC 5_2_0559DAAC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_055A1AA3 5_2_055A1AA3
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEE7A9 5_2_02FEE7A9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FED566 5_2_02FED566
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEE541 5_2_02FEE541
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FED904 5_2_02FED904
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FD9E50 5_2_02FD9E50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FD9E4B 5_2_02FD9E4B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FD2FB0 5_2_02FD2FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FD2D90 5_2_02FD2D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053BA036 5_2_053BA036
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B2D02 5_2_053B2D02
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053BE5CD 5_2_053BE5CD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B8912 5_2_053B8912
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B1082 5_2_053B1082
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B5B32 5_2_053B5B32
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053B5B30 5_2_053B5B30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_053BB232 5_2_053BB232
Source: C:\Users\user\Desktop\Bank swift.exe Code function: String function: 01677E54 appears 111 times
Source: C:\Users\user\Desktop\Bank swift.exe Code function: String function: 016AF290 appears 105 times
Source: C:\Users\user\Desktop\Bank swift.exe Code function: String function: 01665130 appears 58 times
Source: C:\Users\user\Desktop\Bank swift.exe Code function: String function: 0161B970 appears 280 times
Source: C:\Users\user\Desktop\Bank swift.exe Code function: String function: 0169EA12 appears 86 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 054EB970 appears 280 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 05547E54 appears 103 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0556EA12 appears 86 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0557F290 appears 105 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 05535130 appears 58 times
Source: Bank swift.exe, 00000000.00000002.2047457137.000000000148E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Bank swift.exe
Source: Bank swift.exe, 00000000.00000002.2064433544.000000000BAE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Bank swift.exe
Source: Bank swift.exe, 00000000.00000000.2036295484.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameThGx.exeF vs Bank swift.exe
Source: Bank swift.exe, 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Bank swift.exe
Source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs Bank swift.exe
Source: Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs Bank swift.exe
Source: Bank swift.exe, 00000003.00000002.2110209718.000000000171D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Bank swift.exe
Source: Bank swift.exe Binary or memory string: OriginalFilenameThGx.exeF vs Bank swift.exe
Source: Bank swift.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.4516511425.000000000F271000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Bank swift.exe PID: 5556, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Bank swift.exe PID: 5712, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 6340, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Bank swift.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, IqF4oqVv8sTWNNV5OL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: _0020.AddAccessRule
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: _0020.AddAccessRule
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, IqF4oqVv8sTWNNV5OL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, IqF4oqVv8sTWNNV5OL.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winEXE@303/1@11/0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078BCDF FormatMessageW,SysAllocString,LocalFree,GetLastError,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,LocalFree, 5_2_0078BCDF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_007864E0 CLSIDFromString,CoCreateInstance, 5_2_007864E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_007982B5 FindResourceExW,LoadResource, 5_2_007982B5
Source: C:\Users\user\Desktop\Bank swift.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank swift.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
Source: Bank swift.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Bank swift.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Bank swift.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Bank swift.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe"
Source: C:\Users\user\Desktop\Bank swift.exe Process created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bank swift.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank swift.exe Process created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bank swift.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Bank swift.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Bank swift.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Bank swift.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cscript.pdbUGP source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: ThGx.pdb source: Bank swift.exe
Source: Binary string: ThGx.pdbSHA256 source: Bank swift.exe
Source: Binary string: wntdll.pdbUGP source: Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Bank swift.exe, Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: cscript.pdb source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

barindex
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.cs .Net Code: otefcApoE8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.cs .Net Code: otefcApoE8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank swift.exe.5bb0000.2.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.cs .Net Code: otefcApoE8 System.Reflection.Assembly.Load(byte[])
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078AA82 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_0078AA82
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_056A14D9 push 1805649Fh; retf 0_2_056A14E5
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A08975 push FFFFFF8Bh; iretd 0_2_07A08977
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_07A00854 push E8040777h; ret 0_2_07A00859
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 0_2_09243AD9 push ebx; retf 0_2_09243ADA
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041B854 push edi; ret 3_2_0041B85C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041E96F push ebp; ret 3_2_0041E986
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041E903 push edx; ret 3_2_0041E907
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041D475 push eax; ret 3_2_0041D4C8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041D4C2 push eax; ret 3_2_0041D4C8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041D4CB push eax; ret 3_2_0041D532
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0041D52C push eax; ret 3_2_0041D532
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_015F225F pushad ; ret 3_2_015F27F9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_015F27FA pushad ; ret 3_2_015F27F9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016209AD push ecx; mov dword ptr [esp], ecx 3_2_016209B6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_015F283D push eax; iretd 3_2_015F2858
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_015F1365 push eax; iretd 3_2_015F1369
Source: C:\Windows\explorer.exe Code function: 4_2_0F25CB02 push esp; retn 0000h 4_2_0F25CB03
Source: C:\Windows\explorer.exe Code function: 4_2_0F25CB1E push esp; retn 0000h 4_2_0F25CB1F
Source: C:\Windows\explorer.exe Code function: 4_2_0F25C9B5 push esp; retn 0000h 4_2_0F25CAE7
Source: C:\Windows\explorer.exe Code function: 4_2_10ADE9B5 push esp; retn 0000h 4_2_10ADEAE7
Source: C:\Windows\explorer.exe Code function: 4_2_10ADEB02 push esp; retn 0000h 4_2_10ADEB03
Source: C:\Windows\explorer.exe Code function: 4_2_10ADEB1E push esp; retn 0000h 4_2_10ADEB1F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078DF11 push ecx; ret 5_2_0078DF24
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_054F09AD push ecx; mov dword ptr [esp], ecx 5_2_054F09B6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FED4CB push eax; ret 5_2_02FED532
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FED4C2 push eax; ret 5_2_02FED4C8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FED475 push eax; ret 5_2_02FED4C8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FED52C push eax; ret 5_2_02FED532
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEB854 push edi; ret 5_2_02FEB85C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEE96F push ebp; ret 5_2_02FEE986
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_02FEE903 push edx; ret 5_2_02FEE907
Source: Bank swift.exe Static PE information: section name: .text entropy: 7.6517904049016785
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, neHFNba0Bf9OBB952Z.cs High entropy of concatenated method names: 'n9emNnQILd', 'E6KmbmAy8S', 'XP4mCE6oX4', 'LR3m6uNTLQ', 'BxImKlYguM', 'AdnmXYLRAN', 'wFTmPKkNgL', 'bWTm5Rxeym', 'POCm9ycvUc', 'otCmx8h5fl'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, ufAD2yTBcVVcJ17umw.cs High entropy of concatenated method names: 'KamGalwwZl', 'P1hGvSEf0I', 'V3MmdlmSAV', 'F9CmiI4yq3', 'PYfGHqn4jE', 'LURGLFw8nZ', 'Yy8GQJLqTK', 'AFAGSfQp8c', 'nlxGtQUdBO', 'VXOG1CU4mr'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, tUGtQd3DJjokEpwttN.cs High entropy of concatenated method names: 'yx0XIcH38G', 'Ci4XJ1gmOF', 'HEDXcs11O0', 'h7wX7o0On1', 'xJnXgMCkvP', 'SN2XhXK5Bv', 'IhxXrauJrc', 'dGxXVlxwSQ', 'JYcXDXF9YS', 'fwdXsCbMEG'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, Jj5f76sXuGlilYkdkY.cs High entropy of concatenated method names: 'vMe6gcI6E1', 'xx66rIdprk', 'GH9CUwOoBY', 'wXpC4rZxr9', 'SEHCjisKq7', 'QFyCeT7S0b', 'DDZCYcKH9J', 'jQvCFXolRg', 'qHPC3w7adK', 'YyZCp9JocV'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, KP4B3Tid2BcRujRrEAA.cs High entropy of concatenated method names: 'brWyI8lMTZ', 'yQ6yJkb6bX', 'zCUycfrZ7F', 'B7yy7fKvff', 'reAygyuP2J', 'uDRyhpm5s2', 'UYqyrrlyYM', 'vuEyVx6yAS', 'fvQyDlpx8m', 'aV5ys8JQWJ'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, IqF4oqVv8sTWNNV5OL.cs High entropy of concatenated method names: 'TWxbSu1oZ2', 'tnIbtunLSs', 'GDqb12GSNp', 'h3YbZnSgVJ', 'z1CbE2K7dF', 'LPkbTouHZ4', 'oOobMweYxK', 'y3ubaYAAKX', 'lH9bq84Kdn', 'H4ubvni5ci'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, BBL8gEifQ27YNSIdnxN.cs High entropy of concatenated method names: 'gFTCADNNeC1ak', 'clhoXQxR8f2usfbiy9J', 'Hka2hixHAXrSN29mMNp', 'dsvMApizhlpwMO3YSEt', 'smZheFxTXhQJbuojULE', 'FJD6hFxaYqX1OZuwevV'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, V8jl6SQ6uhSpgFnFWY.cs High entropy of concatenated method names: 'DtlnVLERen', 'qWVnDjROxT', 'fVCnkvT2t0', 'MfNnok8OlQ', 'jSsn4jiXuR', 'IYqnjd0mPy', 'clInYNkXaI', 'QEJnFVKoXQ', 'wpTnpcch5r', 'WqdnH9gydP'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, O3dqutDKKEPWagaMia.cs High entropy of concatenated method names: 'C8DC7wFE8O', 'z00ChXQO7p', 'DhRCVRijG0', 'w5HCDNUGrZ', 'BSTC0QSMPl', 'f0tC8ZHTbC', 'zWuCGWkKvL', 'PhvCmPGKcG', 'WyoCyjeVYq', 'hi6CRAMQ2p'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, vcvNOqzyLAdDgD4qMv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WcxynGBhYM', 'nXty0XokxV', 'Jppy8gfDWo', 'BKpyGgipcN', 'XMZymPwMP8', 'zH8yySgtqF', 'xaVyRGwin7'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, sYLTpjiWm7p7olKQKCE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uKYRSCSFmf', 'C5fRtNtREr', 'NW6R1BU0DE', 'lJMRZSA6AR', 'DVsREFns5t', 'MbfRTwOwsq', 'FniRM69BD4'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, MypjKDonacXux0UMPT.cs High entropy of concatenated method names: 'LGwoc6HbtRRwc79r0VW', 'Cmc5a6H3jYkA1NT24Fb', 'DIiKmCOIcQ', 'O1SKypWhqV', 'aXrKRlUZPG', 'XyYjCCHvMvZ2cobyi34', 'aEUxhZHtCXMeWCLINrG', 'kIgE4VHLB8RVNb59vvF'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, vJNiXViiGYRwVe8ZWvJ.cs High entropy of concatenated method names: 'ToString', 'E5cRW5hEBc', 'gkERf0uwXP', 'YJrRAkFmFp', 'fxcRNU6NNe', 'yrLRbQHMmJ', 'qUwRCGh5Fd', 'tPfR6QD1B2', 'sx31xKiS8VYcnjua29b', 'ifI4Mkiux9Sj9S0Q2dO'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, cqCFZcY25BEWh2DTtw.cs High entropy of concatenated method names: 'I1JXNYgojh', 'YWsXCPs1w4', 'kLoXKtDMqu', 'kUVKvkyBp2', 'N8SKzqSwaM', 'DksXd0IYMo', 'QSxXiolaPR', 'fnYXuL3FIi', 'VpMXWjwaeZ', 'HXQXfuWxky'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, CqPLsLbPmaWACgBFgl.cs High entropy of concatenated method names: 'Dispose', 'XpDiq0RZmG', 'k5TuoYNkGw', 'CteBBvs09T', 'gneivHFNb0', 'vf9izOBB95', 'ProcessDialogKey', 'vZkudPdGYG', 'Bmtuilurm6', 'Vlvuu9Tav3'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, w016agZ6Yv5lj1y6RX.cs High entropy of concatenated method names: 'l1aG9x5J8k', 'c0QGxRPTEj', 'ToString', 'y91GNqtfXZ', 'OghGbFeORU', 'K3FGCNc3WZ', 'qrUG6NDZRG', 'hEVGKMCufV', 'IvnGXnKeub', 'zXBGPAp9YL'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, pdtIeykDa1LgXtJ021.cs High entropy of concatenated method names: 'tuPKAmMgNv', 'kniKbrL0r6', 'PeYK64MNIm', 'aovKXCJ56u', 'XOxKPKUBCK', 'OS36EOqByM', 'iUq6TMvEh1', 'ND36Mv0Nu3', 'v4L6aPvxGI', 'oIX6qHANU1'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, mTav3nvGt7cQdHnaMV.cs High entropy of concatenated method names: 'pbMyiycejf', 'BHMyWQus8c', 'stUyfUQGu1', 'aMsyNASgaf', 'I6Zyb6Mmh7', 'JIsy6WeWk8', 'duCyKGADSo', 'zlImMNg9jn', 'NRAmayb1Am', 'WYfmqgZoSt'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, JsvX2Tfm2XdPsxwden.cs High entropy of concatenated method names: 'mp4iXqF4oq', 'Y8siPTWNNV', 'SKKi9EPWag', 'XMiixajj5f', 'Lkdi0kY8dt', 'yeyi8Da1Lg', 'dS5O8YCU8waR2Tvoj3', 'yn6pRMEgNY1bpgSXTS', 'q99iiJ7BFw', 'SmaiWeUHWE'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.cs High entropy of concatenated method names: 'cQDWAS8DYL', 'bxJWNS7vMn', 'OkQWb1PIpy', 'JRGWCvQ0fr', 'H1yW6tjjq6', 'PxwWKuUglJ', 'xWsWX9nd4g', 'eEyWP0WFpp', 'BXsW5lcC5w', 'Gm5W94tbV5'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, GPdGYGqgmtlurm6Tlv.cs High entropy of concatenated method names: 'GupmkL9xFU', 'yjgmoyVC2D', 'y3QmU3YNQF', 'n1Mm4GOkkU', 'hMVmS2wssb', 'DRhmjRuNQY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fhvTyDungqxGGCMZiu.cs High entropy of concatenated method names: 'IXWcjnNuV', 'hBL7YfijD', 'q6ahbAyqx', 'eTPrHPdFv', 'OQkDxkVrj', 'no0s1oH7T', 'rllTpNQ5quI5EFLgn8', 'vo0vQnXtpuPT81YOmC', 'mhsm4aoC1', 'EIyRDHc9q'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, neHFNba0Bf9OBB952Z.cs High entropy of concatenated method names: 'n9emNnQILd', 'E6KmbmAy8S', 'XP4mCE6oX4', 'LR3m6uNTLQ', 'BxImKlYguM', 'AdnmXYLRAN', 'wFTmPKkNgL', 'bWTm5Rxeym', 'POCm9ycvUc', 'otCmx8h5fl'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, ufAD2yTBcVVcJ17umw.cs High entropy of concatenated method names: 'KamGalwwZl', 'P1hGvSEf0I', 'V3MmdlmSAV', 'F9CmiI4yq3', 'PYfGHqn4jE', 'LURGLFw8nZ', 'Yy8GQJLqTK', 'AFAGSfQp8c', 'nlxGtQUdBO', 'VXOG1CU4mr'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, tUGtQd3DJjokEpwttN.cs High entropy of concatenated method names: 'yx0XIcH38G', 'Ci4XJ1gmOF', 'HEDXcs11O0', 'h7wX7o0On1', 'xJnXgMCkvP', 'SN2XhXK5Bv', 'IhxXrauJrc', 'dGxXVlxwSQ', 'JYcXDXF9YS', 'fwdXsCbMEG'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, Jj5f76sXuGlilYkdkY.cs High entropy of concatenated method names: 'vMe6gcI6E1', 'xx66rIdprk', 'GH9CUwOoBY', 'wXpC4rZxr9', 'SEHCjisKq7', 'QFyCeT7S0b', 'DDZCYcKH9J', 'jQvCFXolRg', 'qHPC3w7adK', 'YyZCp9JocV'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, KP4B3Tid2BcRujRrEAA.cs High entropy of concatenated method names: 'brWyI8lMTZ', 'yQ6yJkb6bX', 'zCUycfrZ7F', 'B7yy7fKvff', 'reAygyuP2J', 'uDRyhpm5s2', 'UYqyrrlyYM', 'vuEyVx6yAS', 'fvQyDlpx8m', 'aV5ys8JQWJ'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, IqF4oqVv8sTWNNV5OL.cs High entropy of concatenated method names: 'TWxbSu1oZ2', 'tnIbtunLSs', 'GDqb12GSNp', 'h3YbZnSgVJ', 'z1CbE2K7dF', 'LPkbTouHZ4', 'oOobMweYxK', 'y3ubaYAAKX', 'lH9bq84Kdn', 'H4ubvni5ci'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, BBL8gEifQ27YNSIdnxN.cs High entropy of concatenated method names: 'gFTCADNNeC1ak', 'clhoXQxR8f2usfbiy9J', 'Hka2hixHAXrSN29mMNp', 'dsvMApizhlpwMO3YSEt', 'smZheFxTXhQJbuojULE', 'FJD6hFxaYqX1OZuwevV'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, V8jl6SQ6uhSpgFnFWY.cs High entropy of concatenated method names: 'DtlnVLERen', 'qWVnDjROxT', 'fVCnkvT2t0', 'MfNnok8OlQ', 'jSsn4jiXuR', 'IYqnjd0mPy', 'clInYNkXaI', 'QEJnFVKoXQ', 'wpTnpcch5r', 'WqdnH9gydP'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, O3dqutDKKEPWagaMia.cs High entropy of concatenated method names: 'C8DC7wFE8O', 'z00ChXQO7p', 'DhRCVRijG0', 'w5HCDNUGrZ', 'BSTC0QSMPl', 'f0tC8ZHTbC', 'zWuCGWkKvL', 'PhvCmPGKcG', 'WyoCyjeVYq', 'hi6CRAMQ2p'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, vcvNOqzyLAdDgD4qMv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WcxynGBhYM', 'nXty0XokxV', 'Jppy8gfDWo', 'BKpyGgipcN', 'XMZymPwMP8', 'zH8yySgtqF', 'xaVyRGwin7'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, sYLTpjiWm7p7olKQKCE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uKYRSCSFmf', 'C5fRtNtREr', 'NW6R1BU0DE', 'lJMRZSA6AR', 'DVsREFns5t', 'MbfRTwOwsq', 'FniRM69BD4'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, MypjKDonacXux0UMPT.cs High entropy of concatenated method names: 'LGwoc6HbtRRwc79r0VW', 'Cmc5a6H3jYkA1NT24Fb', 'DIiKmCOIcQ', 'O1SKypWhqV', 'aXrKRlUZPG', 'XyYjCCHvMvZ2cobyi34', 'aEUxhZHtCXMeWCLINrG', 'kIgE4VHLB8RVNb59vvF'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, vJNiXViiGYRwVe8ZWvJ.cs High entropy of concatenated method names: 'ToString', 'E5cRW5hEBc', 'gkERf0uwXP', 'YJrRAkFmFp', 'fxcRNU6NNe', 'yrLRbQHMmJ', 'qUwRCGh5Fd', 'tPfR6QD1B2', 'sx31xKiS8VYcnjua29b', 'ifI4Mkiux9Sj9S0Q2dO'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, cqCFZcY25BEWh2DTtw.cs High entropy of concatenated method names: 'I1JXNYgojh', 'YWsXCPs1w4', 'kLoXKtDMqu', 'kUVKvkyBp2', 'N8SKzqSwaM', 'DksXd0IYMo', 'QSxXiolaPR', 'fnYXuL3FIi', 'VpMXWjwaeZ', 'HXQXfuWxky'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, CqPLsLbPmaWACgBFgl.cs High entropy of concatenated method names: 'Dispose', 'XpDiq0RZmG', 'k5TuoYNkGw', 'CteBBvs09T', 'gneivHFNb0', 'vf9izOBB95', 'ProcessDialogKey', 'vZkudPdGYG', 'Bmtuilurm6', 'Vlvuu9Tav3'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, w016agZ6Yv5lj1y6RX.cs High entropy of concatenated method names: 'l1aG9x5J8k', 'c0QGxRPTEj', 'ToString', 'y91GNqtfXZ', 'OghGbFeORU', 'K3FGCNc3WZ', 'qrUG6NDZRG', 'hEVGKMCufV', 'IvnGXnKeub', 'zXBGPAp9YL'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, pdtIeykDa1LgXtJ021.cs High entropy of concatenated method names: 'tuPKAmMgNv', 'kniKbrL0r6', 'PeYK64MNIm', 'aovKXCJ56u', 'XOxKPKUBCK', 'OS36EOqByM', 'iUq6TMvEh1', 'ND36Mv0Nu3', 'v4L6aPvxGI', 'oIX6qHANU1'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, mTav3nvGt7cQdHnaMV.cs High entropy of concatenated method names: 'pbMyiycejf', 'BHMyWQus8c', 'stUyfUQGu1', 'aMsyNASgaf', 'I6Zyb6Mmh7', 'JIsy6WeWk8', 'duCyKGADSo', 'zlImMNg9jn', 'NRAmayb1Am', 'WYfmqgZoSt'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, JsvX2Tfm2XdPsxwden.cs High entropy of concatenated method names: 'mp4iXqF4oq', 'Y8siPTWNNV', 'SKKi9EPWag', 'XMiixajj5f', 'Lkdi0kY8dt', 'yeyi8Da1Lg', 'dS5O8YCU8waR2Tvoj3', 'yn6pRMEgNY1bpgSXTS', 'q99iiJ7BFw', 'SmaiWeUHWE'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.cs High entropy of concatenated method names: 'cQDWAS8DYL', 'bxJWNS7vMn', 'OkQWb1PIpy', 'JRGWCvQ0fr', 'H1yW6tjjq6', 'PxwWKuUglJ', 'xWsWX9nd4g', 'eEyWP0WFpp', 'BXsW5lcC5w', 'Gm5W94tbV5'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, GPdGYGqgmtlurm6Tlv.cs High entropy of concatenated method names: 'GupmkL9xFU', 'yjgmoyVC2D', 'y3QmU3YNQF', 'n1Mm4GOkkU', 'hMVmS2wssb', 'DRhmjRuNQY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fhvTyDungqxGGCMZiu.cs High entropy of concatenated method names: 'IXWcjnNuV', 'hBL7YfijD', 'q6ahbAyqx', 'eTPrHPdFv', 'OQkDxkVrj', 'no0s1oH7T', 'rllTpNQ5quI5EFLgn8', 'vo0vQnXtpuPT81YOmC', 'mhsm4aoC1', 'EIyRDHc9q'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, neHFNba0Bf9OBB952Z.cs High entropy of concatenated method names: 'n9emNnQILd', 'E6KmbmAy8S', 'XP4mCE6oX4', 'LR3m6uNTLQ', 'BxImKlYguM', 'AdnmXYLRAN', 'wFTmPKkNgL', 'bWTm5Rxeym', 'POCm9ycvUc', 'otCmx8h5fl'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, ufAD2yTBcVVcJ17umw.cs High entropy of concatenated method names: 'KamGalwwZl', 'P1hGvSEf0I', 'V3MmdlmSAV', 'F9CmiI4yq3', 'PYfGHqn4jE', 'LURGLFw8nZ', 'Yy8GQJLqTK', 'AFAGSfQp8c', 'nlxGtQUdBO', 'VXOG1CU4mr'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, tUGtQd3DJjokEpwttN.cs High entropy of concatenated method names: 'yx0XIcH38G', 'Ci4XJ1gmOF', 'HEDXcs11O0', 'h7wX7o0On1', 'xJnXgMCkvP', 'SN2XhXK5Bv', 'IhxXrauJrc', 'dGxXVlxwSQ', 'JYcXDXF9YS', 'fwdXsCbMEG'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, Jj5f76sXuGlilYkdkY.cs High entropy of concatenated method names: 'vMe6gcI6E1', 'xx66rIdprk', 'GH9CUwOoBY', 'wXpC4rZxr9', 'SEHCjisKq7', 'QFyCeT7S0b', 'DDZCYcKH9J', 'jQvCFXolRg', 'qHPC3w7adK', 'YyZCp9JocV'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, KP4B3Tid2BcRujRrEAA.cs High entropy of concatenated method names: 'brWyI8lMTZ', 'yQ6yJkb6bX', 'zCUycfrZ7F', 'B7yy7fKvff', 'reAygyuP2J', 'uDRyhpm5s2', 'UYqyrrlyYM', 'vuEyVx6yAS', 'fvQyDlpx8m', 'aV5ys8JQWJ'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, IqF4oqVv8sTWNNV5OL.cs High entropy of concatenated method names: 'TWxbSu1oZ2', 'tnIbtunLSs', 'GDqb12GSNp', 'h3YbZnSgVJ', 'z1CbE2K7dF', 'LPkbTouHZ4', 'oOobMweYxK', 'y3ubaYAAKX', 'lH9bq84Kdn', 'H4ubvni5ci'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, BBL8gEifQ27YNSIdnxN.cs High entropy of concatenated method names: 'gFTCADNNeC1ak', 'clhoXQxR8f2usfbiy9J', 'Hka2hixHAXrSN29mMNp', 'dsvMApizhlpwMO3YSEt', 'smZheFxTXhQJbuojULE', 'FJD6hFxaYqX1OZuwevV'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, V8jl6SQ6uhSpgFnFWY.cs High entropy of concatenated method names: 'DtlnVLERen', 'qWVnDjROxT', 'fVCnkvT2t0', 'MfNnok8OlQ', 'jSsn4jiXuR', 'IYqnjd0mPy', 'clInYNkXaI', 'QEJnFVKoXQ', 'wpTnpcch5r', 'WqdnH9gydP'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, O3dqutDKKEPWagaMia.cs High entropy of concatenated method names: 'C8DC7wFE8O', 'z00ChXQO7p', 'DhRCVRijG0', 'w5HCDNUGrZ', 'BSTC0QSMPl', 'f0tC8ZHTbC', 'zWuCGWkKvL', 'PhvCmPGKcG', 'WyoCyjeVYq', 'hi6CRAMQ2p'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, vcvNOqzyLAdDgD4qMv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WcxynGBhYM', 'nXty0XokxV', 'Jppy8gfDWo', 'BKpyGgipcN', 'XMZymPwMP8', 'zH8yySgtqF', 'xaVyRGwin7'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, sYLTpjiWm7p7olKQKCE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uKYRSCSFmf', 'C5fRtNtREr', 'NW6R1BU0DE', 'lJMRZSA6AR', 'DVsREFns5t', 'MbfRTwOwsq', 'FniRM69BD4'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, MypjKDonacXux0UMPT.cs High entropy of concatenated method names: 'LGwoc6HbtRRwc79r0VW', 'Cmc5a6H3jYkA1NT24Fb', 'DIiKmCOIcQ', 'O1SKypWhqV', 'aXrKRlUZPG', 'XyYjCCHvMvZ2cobyi34', 'aEUxhZHtCXMeWCLINrG', 'kIgE4VHLB8RVNb59vvF'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, vJNiXViiGYRwVe8ZWvJ.cs High entropy of concatenated method names: 'ToString', 'E5cRW5hEBc', 'gkERf0uwXP', 'YJrRAkFmFp', 'fxcRNU6NNe', 'yrLRbQHMmJ', 'qUwRCGh5Fd', 'tPfR6QD1B2', 'sx31xKiS8VYcnjua29b', 'ifI4Mkiux9Sj9S0Q2dO'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, cqCFZcY25BEWh2DTtw.cs High entropy of concatenated method names: 'I1JXNYgojh', 'YWsXCPs1w4', 'kLoXKtDMqu', 'kUVKvkyBp2', 'N8SKzqSwaM', 'DksXd0IYMo', 'QSxXiolaPR', 'fnYXuL3FIi', 'VpMXWjwaeZ', 'HXQXfuWxky'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, CqPLsLbPmaWACgBFgl.cs High entropy of concatenated method names: 'Dispose', 'XpDiq0RZmG', 'k5TuoYNkGw', 'CteBBvs09T', 'gneivHFNb0', 'vf9izOBB95', 'ProcessDialogKey', 'vZkudPdGYG', 'Bmtuilurm6', 'Vlvuu9Tav3'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, w016agZ6Yv5lj1y6RX.cs High entropy of concatenated method names: 'l1aG9x5J8k', 'c0QGxRPTEj', 'ToString', 'y91GNqtfXZ', 'OghGbFeORU', 'K3FGCNc3WZ', 'qrUG6NDZRG', 'hEVGKMCufV', 'IvnGXnKeub', 'zXBGPAp9YL'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, pdtIeykDa1LgXtJ021.cs High entropy of concatenated method names: 'tuPKAmMgNv', 'kniKbrL0r6', 'PeYK64MNIm', 'aovKXCJ56u', 'XOxKPKUBCK', 'OS36EOqByM', 'iUq6TMvEh1', 'ND36Mv0Nu3', 'v4L6aPvxGI', 'oIX6qHANU1'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, mTav3nvGt7cQdHnaMV.cs High entropy of concatenated method names: 'pbMyiycejf', 'BHMyWQus8c', 'stUyfUQGu1', 'aMsyNASgaf', 'I6Zyb6Mmh7', 'JIsy6WeWk8', 'duCyKGADSo', 'zlImMNg9jn', 'NRAmayb1Am', 'WYfmqgZoSt'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, JsvX2Tfm2XdPsxwden.cs High entropy of concatenated method names: 'mp4iXqF4oq', 'Y8siPTWNNV', 'SKKi9EPWag', 'XMiixajj5f', 'Lkdi0kY8dt', 'yeyi8Da1Lg', 'dS5O8YCU8waR2Tvoj3', 'yn6pRMEgNY1bpgSXTS', 'q99iiJ7BFw', 'SmaiWeUHWE'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.cs High entropy of concatenated method names: 'cQDWAS8DYL', 'bxJWNS7vMn', 'OkQWb1PIpy', 'JRGWCvQ0fr', 'H1yW6tjjq6', 'PxwWKuUglJ', 'xWsWX9nd4g', 'eEyWP0WFpp', 'BXsW5lcC5w', 'Gm5W94tbV5'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, GPdGYGqgmtlurm6Tlv.cs High entropy of concatenated method names: 'GupmkL9xFU', 'yjgmoyVC2D', 'y3QmU3YNQF', 'n1Mm4GOkkU', 'hMVmS2wssb', 'DRhmjRuNQY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fhvTyDungqxGGCMZiu.cs High entropy of concatenated method names: 'IXWcjnNuV', 'hBL7YfijD', 'q6ahbAyqx', 'eTPrHPdFv', 'OQkDxkVrj', 'no0s1oH7T', 'rllTpNQ5quI5EFLgn8', 'vo0vQnXtpuPT81YOmC', 'mhsm4aoC1', 'EIyRDHc9q'
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: Bank swift.exe PID: 5556, type: MEMORYSTR
Source: C:\Users\user\Desktop\Bank swift.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\Bank swift.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\Bank swift.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\Bank swift.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\Bank swift.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\Bank swift.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\cscript.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\Bank swift.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bank swift.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 2FD9904 second address: 2FD990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 2FD9B6E second address: 2FD9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: 1750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: 3070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: 5070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: 9250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: 7660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: A250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: B250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: BB50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: CB50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: DB50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00409AA0 rdtsc 3_2_00409AA0
Source: C:\Users\user\Desktop\Bank swift.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1825 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 8124 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 884 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 866 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Window / User API: threadDelayed 9843 Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe API coverage: 1.6 %
Source: C:\Windows\SysWOW64\cscript.exe API coverage: 1.6 %
Source: C:\Users\user\Desktop\Bank swift.exe TID: 6024 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6496 Thread sleep count: 1825 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6496 Thread sleep time: -3650000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6496 Thread sleep count: 8124 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6496 Thread sleep time: -16248000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 7104 Thread sleep count: 130 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 7104 Thread sleep time: -260000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 7104 Thread sleep count: 9843 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 7104 Thread sleep time: -19686000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_00792674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose, 5_2_00792674
Source: C:\Users\user\Desktop\Bank swift.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.4505790397.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Bank swift.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_00409AA0 rdtsc 3_2_00409AA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0040ACE0 LdrLoadDll, 3_2_0040ACE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078AA82 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_0078AA82
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4164 mov eax, dword ptr fs:[00000030h] 3_2_016F4164
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4164 mov eax, dword ptr fs:[00000030h] 3_2_016F4164
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h] 3_2_016B4144
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h] 3_2_016B4144
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B4144 mov ecx, dword ptr fs:[00000030h] 3_2_016B4144
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h] 3_2_016B4144
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h] 3_2_016B4144
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B8158 mov eax, dword ptr fs:[00000030h] 3_2_016B8158
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626154 mov eax, dword ptr fs:[00000030h] 3_2_01626154
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626154 mov eax, dword ptr fs:[00000030h] 3_2_01626154
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161C156 mov eax, dword ptr fs:[00000030h] 3_2_0161C156
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01650124 mov eax, dword ptr fs:[00000030h] 3_2_01650124
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h] 3_2_016CE10E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CA118 mov ecx, dword ptr fs:[00000030h] 3_2_016CA118
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CA118 mov eax, dword ptr fs:[00000030h] 3_2_016CA118
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CA118 mov eax, dword ptr fs:[00000030h] 3_2_016CA118
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CA118 mov eax, dword ptr fs:[00000030h] 3_2_016CA118
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E0115 mov eax, dword ptr fs:[00000030h] 3_2_016E0115
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F61E5 mov eax, dword ptr fs:[00000030h] 3_2_016F61E5
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016501F8 mov eax, dword ptr fs:[00000030h] 3_2_016501F8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E61C3 mov eax, dword ptr fs:[00000030h] 3_2_016E61C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E61C3 mov eax, dword ptr fs:[00000030h] 3_2_016E61C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0169E1D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0169E1D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E1D0 mov ecx, dword ptr fs:[00000030h] 3_2_0169E1D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0169E1D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h] 3_2_0169E1D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01660185 mov eax, dword ptr fs:[00000030h] 3_2_01660185
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DC188 mov eax, dword ptr fs:[00000030h] 3_2_016DC188
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DC188 mov eax, dword ptr fs:[00000030h] 3_2_016DC188
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C4180 mov eax, dword ptr fs:[00000030h] 3_2_016C4180
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C4180 mov eax, dword ptr fs:[00000030h] 3_2_016C4180
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A019F mov eax, dword ptr fs:[00000030h] 3_2_016A019F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A019F mov eax, dword ptr fs:[00000030h] 3_2_016A019F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A019F mov eax, dword ptr fs:[00000030h] 3_2_016A019F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A019F mov eax, dword ptr fs:[00000030h] 3_2_016A019F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161A197 mov eax, dword ptr fs:[00000030h] 3_2_0161A197
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161A197 mov eax, dword ptr fs:[00000030h] 3_2_0161A197
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161A197 mov eax, dword ptr fs:[00000030h] 3_2_0161A197
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164C073 mov eax, dword ptr fs:[00000030h] 3_2_0164C073
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01622050 mov eax, dword ptr fs:[00000030h] 3_2_01622050
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6050 mov eax, dword ptr fs:[00000030h] 3_2_016A6050
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161A020 mov eax, dword ptr fs:[00000030h] 3_2_0161A020
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161C020 mov eax, dword ptr fs:[00000030h] 3_2_0161C020
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B6030 mov eax, dword ptr fs:[00000030h] 3_2_016B6030
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A4000 mov ecx, dword ptr fs:[00000030h] 3_2_016A4000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h] 3_2_016C2000
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h] 3_2_0163E016
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h] 3_2_0163E016
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h] 3_2_0163E016
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h] 3_2_0163E016
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161A0E3 mov ecx, dword ptr fs:[00000030h] 3_2_0161A0E3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A60E0 mov eax, dword ptr fs:[00000030h] 3_2_016A60E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016280E9 mov eax, dword ptr fs:[00000030h] 3_2_016280E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161C0F0 mov eax, dword ptr fs:[00000030h] 3_2_0161C0F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016620F0 mov ecx, dword ptr fs:[00000030h] 3_2_016620F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A20DE mov eax, dword ptr fs:[00000030h] 3_2_016A20DE
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016180A0 mov eax, dword ptr fs:[00000030h] 3_2_016180A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B80A8 mov eax, dword ptr fs:[00000030h] 3_2_016B80A8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E60B8 mov eax, dword ptr fs:[00000030h] 3_2_016E60B8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E60B8 mov ecx, dword ptr fs:[00000030h] 3_2_016E60B8
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162208A mov eax, dword ptr fs:[00000030h] 3_2_0162208A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C437C mov eax, dword ptr fs:[00000030h] 3_2_016C437C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F634F mov eax, dword ptr fs:[00000030h] 3_2_016F634F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h] 3_2_016A2349
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A035C mov eax, dword ptr fs:[00000030h] 3_2_016A035C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A035C mov eax, dword ptr fs:[00000030h] 3_2_016A035C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A035C mov eax, dword ptr fs:[00000030h] 3_2_016A035C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A035C mov ecx, dword ptr fs:[00000030h] 3_2_016A035C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A035C mov eax, dword ptr fs:[00000030h] 3_2_016A035C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A035C mov eax, dword ptr fs:[00000030h] 3_2_016A035C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EA352 mov eax, dword ptr fs:[00000030h] 3_2_016EA352
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C8350 mov ecx, dword ptr fs:[00000030h] 3_2_016C8350
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F8324 mov eax, dword ptr fs:[00000030h] 3_2_016F8324
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F8324 mov ecx, dword ptr fs:[00000030h] 3_2_016F8324
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F8324 mov eax, dword ptr fs:[00000030h] 3_2_016F8324
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F8324 mov eax, dword ptr fs:[00000030h] 3_2_016F8324
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A30B mov eax, dword ptr fs:[00000030h] 3_2_0165A30B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A30B mov eax, dword ptr fs:[00000030h] 3_2_0165A30B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A30B mov eax, dword ptr fs:[00000030h] 3_2_0165A30B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161C310 mov ecx, dword ptr fs:[00000030h] 3_2_0161C310
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01640310 mov ecx, dword ptr fs:[00000030h] 3_2_01640310
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h] 3_2_016303E9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E3F0 mov eax, dword ptr fs:[00000030h] 3_2_0163E3F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E3F0 mov eax, dword ptr fs:[00000030h] 3_2_0163E3F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E3F0 mov eax, dword ptr fs:[00000030h] 3_2_0163E3F0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016563FF mov eax, dword ptr fs:[00000030h] 3_2_016563FF
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DC3CD mov eax, dword ptr fs:[00000030h] 3_2_016DC3CD
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0162A3C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0162A3C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0162A3C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0162A3C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0162A3C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0162A3C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h] 3_2_016283C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h] 3_2_016283C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h] 3_2_016283C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h] 3_2_016283C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A63C0 mov eax, dword ptr fs:[00000030h] 3_2_016A63C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE3DB mov eax, dword ptr fs:[00000030h] 3_2_016CE3DB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE3DB mov eax, dword ptr fs:[00000030h] 3_2_016CE3DB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE3DB mov ecx, dword ptr fs:[00000030h] 3_2_016CE3DB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CE3DB mov eax, dword ptr fs:[00000030h] 3_2_016CE3DB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C43D4 mov eax, dword ptr fs:[00000030h] 3_2_016C43D4
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C43D4 mov eax, dword ptr fs:[00000030h] 3_2_016C43D4
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161E388 mov eax, dword ptr fs:[00000030h] 3_2_0161E388
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161E388 mov eax, dword ptr fs:[00000030h] 3_2_0161E388
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161E388 mov eax, dword ptr fs:[00000030h] 3_2_0161E388
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164438F mov eax, dword ptr fs:[00000030h] 3_2_0164438F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164438F mov eax, dword ptr fs:[00000030h] 3_2_0164438F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01618397 mov eax, dword ptr fs:[00000030h] 3_2_01618397
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01618397 mov eax, dword ptr fs:[00000030h] 3_2_01618397
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01618397 mov eax, dword ptr fs:[00000030h] 3_2_01618397
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624260 mov eax, dword ptr fs:[00000030h] 3_2_01624260
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624260 mov eax, dword ptr fs:[00000030h] 3_2_01624260
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624260 mov eax, dword ptr fs:[00000030h] 3_2_01624260
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161826B mov eax, dword ptr fs:[00000030h] 3_2_0161826B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h] 3_2_016D0274
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A8243 mov eax, dword ptr fs:[00000030h] 3_2_016A8243
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A8243 mov ecx, dword ptr fs:[00000030h] 3_2_016A8243
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161A250 mov eax, dword ptr fs:[00000030h] 3_2_0161A250
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F625D mov eax, dword ptr fs:[00000030h] 3_2_016F625D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626259 mov eax, dword ptr fs:[00000030h] 3_2_01626259
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DA250 mov eax, dword ptr fs:[00000030h] 3_2_016DA250
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DA250 mov eax, dword ptr fs:[00000030h] 3_2_016DA250
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161823B mov eax, dword ptr fs:[00000030h] 3_2_0161823B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016302E1 mov eax, dword ptr fs:[00000030h] 3_2_016302E1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016302E1 mov eax, dword ptr fs:[00000030h] 3_2_016302E1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016302E1 mov eax, dword ptr fs:[00000030h] 3_2_016302E1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0162A2C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0162A2C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0162A2C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0162A2C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0162A2C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F62D6 mov eax, dword ptr fs:[00000030h] 3_2_016F62D6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016302A0 mov eax, dword ptr fs:[00000030h] 3_2_016302A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016302A0 mov eax, dword ptr fs:[00000030h] 3_2_016302A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h] 3_2_016B62A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B62A0 mov ecx, dword ptr fs:[00000030h] 3_2_016B62A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h] 3_2_016B62A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h] 3_2_016B62A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h] 3_2_016B62A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h] 3_2_016B62A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E284 mov eax, dword ptr fs:[00000030h] 3_2_0165E284
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E284 mov eax, dword ptr fs:[00000030h] 3_2_0165E284
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A0283 mov eax, dword ptr fs:[00000030h] 3_2_016A0283
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A0283 mov eax, dword ptr fs:[00000030h] 3_2_016A0283
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A0283 mov eax, dword ptr fs:[00000030h] 3_2_016A0283
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165656A mov eax, dword ptr fs:[00000030h] 3_2_0165656A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165656A mov eax, dword ptr fs:[00000030h] 3_2_0165656A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165656A mov eax, dword ptr fs:[00000030h] 3_2_0165656A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628550 mov eax, dword ptr fs:[00000030h] 3_2_01628550
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628550 mov eax, dword ptr fs:[00000030h] 3_2_01628550
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 mov eax, dword ptr fs:[00000030h] 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 mov eax, dword ptr fs:[00000030h] 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 mov eax, dword ptr fs:[00000030h] 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 mov eax, dword ptr fs:[00000030h] 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 mov eax, dword ptr fs:[00000030h] 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630535 mov eax, dword ptr fs:[00000030h] 3_2_01630535
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h] 3_2_0164E53E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h] 3_2_0164E53E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h] 3_2_0164E53E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h] 3_2_0164E53E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h] 3_2_0164E53E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B6500 mov eax, dword ptr fs:[00000030h] 3_2_016B6500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h] 3_2_016F4500
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016225E0 mov eax, dword ptr fs:[00000030h] 3_2_016225E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h] 3_2_0164E5E7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C5ED mov eax, dword ptr fs:[00000030h] 3_2_0165C5ED
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C5ED mov eax, dword ptr fs:[00000030h] 3_2_0165C5ED
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E5CF mov eax, dword ptr fs:[00000030h] 3_2_0165E5CF
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E5CF mov eax, dword ptr fs:[00000030h] 3_2_0165E5CF
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016265D0 mov eax, dword ptr fs:[00000030h] 3_2_016265D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A5D0 mov eax, dword ptr fs:[00000030h] 3_2_0165A5D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A5D0 mov eax, dword ptr fs:[00000030h] 3_2_0165A5D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A05A7 mov eax, dword ptr fs:[00000030h] 3_2_016A05A7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A05A7 mov eax, dword ptr fs:[00000030h] 3_2_016A05A7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A05A7 mov eax, dword ptr fs:[00000030h] 3_2_016A05A7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016445B1 mov eax, dword ptr fs:[00000030h] 3_2_016445B1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016445B1 mov eax, dword ptr fs:[00000030h] 3_2_016445B1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01622582 mov eax, dword ptr fs:[00000030h] 3_2_01622582
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01622582 mov ecx, dword ptr fs:[00000030h] 3_2_01622582
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01654588 mov eax, dword ptr fs:[00000030h] 3_2_01654588
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E59C mov eax, dword ptr fs:[00000030h] 3_2_0165E59C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AC460 mov ecx, dword ptr fs:[00000030h] 3_2_016AC460
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164A470 mov eax, dword ptr fs:[00000030h] 3_2_0164A470
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164A470 mov eax, dword ptr fs:[00000030h] 3_2_0164A470
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164A470 mov eax, dword ptr fs:[00000030h] 3_2_0164A470
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h] 3_2_0165E443
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DA456 mov eax, dword ptr fs:[00000030h] 3_2_016DA456
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161645D mov eax, dword ptr fs:[00000030h] 3_2_0161645D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164245A mov eax, dword ptr fs:[00000030h] 3_2_0164245A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161E420 mov eax, dword ptr fs:[00000030h] 3_2_0161E420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161E420 mov eax, dword ptr fs:[00000030h] 3_2_0161E420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161E420 mov eax, dword ptr fs:[00000030h] 3_2_0161E420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161C427 mov eax, dword ptr fs:[00000030h] 3_2_0161C427
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h] 3_2_016A6420
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A430 mov eax, dword ptr fs:[00000030h] 3_2_0165A430
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01658402 mov eax, dword ptr fs:[00000030h] 3_2_01658402
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01658402 mov eax, dword ptr fs:[00000030h] 3_2_01658402
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01658402 mov eax, dword ptr fs:[00000030h] 3_2_01658402
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016204E5 mov ecx, dword ptr fs:[00000030h] 3_2_016204E5
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016264AB mov eax, dword ptr fs:[00000030h] 3_2_016264AB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016544B0 mov ecx, dword ptr fs:[00000030h] 3_2_016544B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AA4B0 mov eax, dword ptr fs:[00000030h] 3_2_016AA4B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016DA49A mov eax, dword ptr fs:[00000030h] 3_2_016DA49A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628770 mov eax, dword ptr fs:[00000030h] 3_2_01628770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630770 mov eax, dword ptr fs:[00000030h] 3_2_01630770
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165674D mov esi, dword ptr fs:[00000030h] 3_2_0165674D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165674D mov eax, dword ptr fs:[00000030h] 3_2_0165674D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165674D mov eax, dword ptr fs:[00000030h] 3_2_0165674D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620750 mov eax, dword ptr fs:[00000030h] 3_2_01620750
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662750 mov eax, dword ptr fs:[00000030h] 3_2_01662750
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662750 mov eax, dword ptr fs:[00000030h] 3_2_01662750
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AE75D mov eax, dword ptr fs:[00000030h] 3_2_016AE75D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A4755 mov eax, dword ptr fs:[00000030h] 3_2_016A4755
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C720 mov eax, dword ptr fs:[00000030h] 3_2_0165C720
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C720 mov eax, dword ptr fs:[00000030h] 3_2_0165C720
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165273C mov eax, dword ptr fs:[00000030h] 3_2_0165273C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165273C mov ecx, dword ptr fs:[00000030h] 3_2_0165273C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165273C mov eax, dword ptr fs:[00000030h] 3_2_0165273C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169C730 mov eax, dword ptr fs:[00000030h] 3_2_0169C730
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C700 mov eax, dword ptr fs:[00000030h] 3_2_0165C700
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620710 mov eax, dword ptr fs:[00000030h] 3_2_01620710
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01650710 mov eax, dword ptr fs:[00000030h] 3_2_01650710
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016427ED mov eax, dword ptr fs:[00000030h] 3_2_016427ED
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016427ED mov eax, dword ptr fs:[00000030h] 3_2_016427ED
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016427ED mov eax, dword ptr fs:[00000030h] 3_2_016427ED
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AE7E1 mov eax, dword ptr fs:[00000030h] 3_2_016AE7E1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016247FB mov eax, dword ptr fs:[00000030h] 3_2_016247FB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016247FB mov eax, dword ptr fs:[00000030h] 3_2_016247FB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162C7C0 mov eax, dword ptr fs:[00000030h] 3_2_0162C7C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A07C3 mov eax, dword ptr fs:[00000030h] 3_2_016A07C3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016207AF mov eax, dword ptr fs:[00000030h] 3_2_016207AF
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D47A0 mov eax, dword ptr fs:[00000030h] 3_2_016D47A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C678E mov eax, dword ptr fs:[00000030h] 3_2_016C678E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E866E mov eax, dword ptr fs:[00000030h] 3_2_016E866E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E866E mov eax, dword ptr fs:[00000030h] 3_2_016E866E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A660 mov eax, dword ptr fs:[00000030h] 3_2_0165A660
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A660 mov eax, dword ptr fs:[00000030h] 3_2_0165A660
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01652674 mov eax, dword ptr fs:[00000030h] 3_2_01652674
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163C640 mov eax, dword ptr fs:[00000030h] 3_2_0163C640
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163E627 mov eax, dword ptr fs:[00000030h] 3_2_0163E627
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01656620 mov eax, dword ptr fs:[00000030h] 3_2_01656620
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01658620 mov eax, dword ptr fs:[00000030h] 3_2_01658620
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162262C mov eax, dword ptr fs:[00000030h] 3_2_0162262C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E609 mov eax, dword ptr fs:[00000030h] 3_2_0169E609
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0163260B mov eax, dword ptr fs:[00000030h] 3_2_0163260B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01662619 mov eax, dword ptr fs:[00000030h] 3_2_01662619
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0169E6F2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0169E6F2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0169E6F2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h] 3_2_0169E6F2
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A06F1 mov eax, dword ptr fs:[00000030h] 3_2_016A06F1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A06F1 mov eax, dword ptr fs:[00000030h] 3_2_016A06F1
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A6C7 mov ebx, dword ptr fs:[00000030h] 3_2_0165A6C7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A6C7 mov eax, dword ptr fs:[00000030h] 3_2_0165A6C7
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C6A6 mov eax, dword ptr fs:[00000030h] 3_2_0165C6A6
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016566B0 mov eax, dword ptr fs:[00000030h] 3_2_016566B0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624690 mov eax, dword ptr fs:[00000030h] 3_2_01624690
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624690 mov eax, dword ptr fs:[00000030h] 3_2_01624690
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01646962 mov eax, dword ptr fs:[00000030h] 3_2_01646962
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01646962 mov eax, dword ptr fs:[00000030h] 3_2_01646962
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01646962 mov eax, dword ptr fs:[00000030h] 3_2_01646962
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0166096E mov eax, dword ptr fs:[00000030h] 3_2_0166096E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0166096E mov edx, dword ptr fs:[00000030h] 3_2_0166096E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0166096E mov eax, dword ptr fs:[00000030h] 3_2_0166096E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C4978 mov eax, dword ptr fs:[00000030h] 3_2_016C4978
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C4978 mov eax, dword ptr fs:[00000030h] 3_2_016C4978
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AC97C mov eax, dword ptr fs:[00000030h] 3_2_016AC97C
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A0946 mov eax, dword ptr fs:[00000030h] 3_2_016A0946
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4940 mov eax, dword ptr fs:[00000030h] 3_2_016F4940
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A892A mov eax, dword ptr fs:[00000030h] 3_2_016A892A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B892B mov eax, dword ptr fs:[00000030h] 3_2_016B892B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E908 mov eax, dword ptr fs:[00000030h] 3_2_0169E908
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169E908 mov eax, dword ptr fs:[00000030h] 3_2_0169E908
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AC912 mov eax, dword ptr fs:[00000030h] 3_2_016AC912
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01618918 mov eax, dword ptr fs:[00000030h] 3_2_01618918
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01618918 mov eax, dword ptr fs:[00000030h] 3_2_01618918
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AE9E0 mov eax, dword ptr fs:[00000030h] 3_2_016AE9E0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016529F9 mov eax, dword ptr fs:[00000030h] 3_2_016529F9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016529F9 mov eax, dword ptr fs:[00000030h] 3_2_016529F9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B69C0 mov eax, dword ptr fs:[00000030h] 3_2_016B69C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0162A9D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0162A9D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0162A9D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0162A9D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0162A9D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0162A9D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016549D0 mov eax, dword ptr fs:[00000030h] 3_2_016549D0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EA9D3 mov eax, dword ptr fs:[00000030h] 3_2_016EA9D3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h] 3_2_016329A0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016209AD mov eax, dword ptr fs:[00000030h] 3_2_016209AD
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016209AD mov eax, dword ptr fs:[00000030h] 3_2_016209AD
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A89B3 mov esi, dword ptr fs:[00000030h] 3_2_016A89B3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A89B3 mov eax, dword ptr fs:[00000030h] 3_2_016A89B3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016A89B3 mov eax, dword ptr fs:[00000030h] 3_2_016A89B3
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AE872 mov eax, dword ptr fs:[00000030h] 3_2_016AE872
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AE872 mov eax, dword ptr fs:[00000030h] 3_2_016AE872
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B6870 mov eax, dword ptr fs:[00000030h] 3_2_016B6870
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B6870 mov eax, dword ptr fs:[00000030h] 3_2_016B6870
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01632840 mov ecx, dword ptr fs:[00000030h] 3_2_01632840
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01650854 mov eax, dword ptr fs:[00000030h] 3_2_01650854
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624859 mov eax, dword ptr fs:[00000030h] 3_2_01624859
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01624859 mov eax, dword ptr fs:[00000030h] 3_2_01624859
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642835 mov eax, dword ptr fs:[00000030h] 3_2_01642835
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642835 mov eax, dword ptr fs:[00000030h] 3_2_01642835
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642835 mov eax, dword ptr fs:[00000030h] 3_2_01642835
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642835 mov ecx, dword ptr fs:[00000030h] 3_2_01642835
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642835 mov eax, dword ptr fs:[00000030h] 3_2_01642835
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01642835 mov eax, dword ptr fs:[00000030h] 3_2_01642835
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165A830 mov eax, dword ptr fs:[00000030h] 3_2_0165A830
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C483A mov eax, dword ptr fs:[00000030h] 3_2_016C483A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C483A mov eax, dword ptr fs:[00000030h] 3_2_016C483A
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AC810 mov eax, dword ptr fs:[00000030h] 3_2_016AC810
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EA8E4 mov eax, dword ptr fs:[00000030h] 3_2_016EA8E4
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C8F9 mov eax, dword ptr fs:[00000030h] 3_2_0165C8F9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165C8F9 mov eax, dword ptr fs:[00000030h] 3_2_0165C8F9
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164E8C0 mov eax, dword ptr fs:[00000030h] 3_2_0164E8C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F08C0 mov eax, dword ptr fs:[00000030h] 3_2_016F08C0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620887 mov eax, dword ptr fs:[00000030h] 3_2_01620887
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016AC89D mov eax, dword ptr fs:[00000030h] 3_2_016AC89D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0161CB7E mov eax, dword ptr fs:[00000030h] 3_2_0161CB7E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D4B4B mov eax, dword ptr fs:[00000030h] 3_2_016D4B4B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D4B4B mov eax, dword ptr fs:[00000030h] 3_2_016D4B4B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B6B40 mov eax, dword ptr fs:[00000030h] 3_2_016B6B40
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016B6B40 mov eax, dword ptr fs:[00000030h] 3_2_016B6B40
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016EAB40 mov eax, dword ptr fs:[00000030h] 3_2_016EAB40
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016C8B42 mov eax, dword ptr fs:[00000030h] 3_2_016C8B42
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01618B50 mov eax, dword ptr fs:[00000030h] 3_2_01618B50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h] 3_2_016F2B57
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h] 3_2_016F2B57
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h] 3_2_016F2B57
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h] 3_2_016F2B57
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CEB50 mov eax, dword ptr fs:[00000030h] 3_2_016CEB50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164EB20 mov eax, dword ptr fs:[00000030h] 3_2_0164EB20
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164EB20 mov eax, dword ptr fs:[00000030h] 3_2_0164EB20
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E8B28 mov eax, dword ptr fs:[00000030h] 3_2_016E8B28
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016E8B28 mov eax, dword ptr fs:[00000030h] 3_2_016E8B28
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016F4B00 mov eax, dword ptr fs:[00000030h] 3_2_016F4B00
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h] 3_2_0169EB1D
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628BF0 mov eax, dword ptr fs:[00000030h] 3_2_01628BF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628BF0 mov eax, dword ptr fs:[00000030h] 3_2_01628BF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628BF0 mov eax, dword ptr fs:[00000030h] 3_2_01628BF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164EBFC mov eax, dword ptr fs:[00000030h] 3_2_0164EBFC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016ACBF0 mov eax, dword ptr fs:[00000030h] 3_2_016ACBF0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01640BCB mov eax, dword ptr fs:[00000030h] 3_2_01640BCB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01640BCB mov eax, dword ptr fs:[00000030h] 3_2_01640BCB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01640BCB mov eax, dword ptr fs:[00000030h] 3_2_01640BCB
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620BCD mov eax, dword ptr fs:[00000030h] 3_2_01620BCD
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620BCD mov eax, dword ptr fs:[00000030h] 3_2_01620BCD
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620BCD mov eax, dword ptr fs:[00000030h] 3_2_01620BCD
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CEBD0 mov eax, dword ptr fs:[00000030h] 3_2_016CEBD0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630BBE mov eax, dword ptr fs:[00000030h] 3_2_01630BBE
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630BBE mov eax, dword ptr fs:[00000030h] 3_2_01630BBE
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D4BB0 mov eax, dword ptr fs:[00000030h] 3_2_016D4BB0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016D4BB0 mov eax, dword ptr fs:[00000030h] 3_2_016D4BB0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165CA6F mov eax, dword ptr fs:[00000030h] 3_2_0165CA6F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165CA6F mov eax, dword ptr fs:[00000030h] 3_2_0165CA6F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165CA6F mov eax, dword ptr fs:[00000030h] 3_2_0165CA6F
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016CEA60 mov eax, dword ptr fs:[00000030h] 3_2_016CEA60
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169CA72 mov eax, dword ptr fs:[00000030h] 3_2_0169CA72
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0169CA72 mov eax, dword ptr fs:[00000030h] 3_2_0169CA72
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h] 3_2_01626A50
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630A5B mov eax, dword ptr fs:[00000030h] 3_2_01630A5B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01630A5B mov eax, dword ptr fs:[00000030h] 3_2_01630A5B
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165CA24 mov eax, dword ptr fs:[00000030h] 3_2_0165CA24
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0164EA2E mov eax, dword ptr fs:[00000030h] 3_2_0164EA2E
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01644A35 mov eax, dword ptr fs:[00000030h] 3_2_01644A35
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01644A35 mov eax, dword ptr fs:[00000030h] 3_2_01644A35
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165CA38 mov eax, dword ptr fs:[00000030h] 3_2_0165CA38
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_016ACA11 mov eax, dword ptr fs:[00000030h] 3_2_016ACA11
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165AAEE mov eax, dword ptr fs:[00000030h] 3_2_0165AAEE
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_0165AAEE mov eax, dword ptr fs:[00000030h] 3_2_0165AAEE
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01676ACC mov eax, dword ptr fs:[00000030h] 3_2_01676ACC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01676ACC mov eax, dword ptr fs:[00000030h] 3_2_01676ACC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01676ACC mov eax, dword ptr fs:[00000030h] 3_2_01676ACC
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01620AD0 mov eax, dword ptr fs:[00000030h] 3_2_01620AD0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01654AD0 mov eax, dword ptr fs:[00000030h] 3_2_01654AD0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01654AD0 mov eax, dword ptr fs:[00000030h] 3_2_01654AD0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628AA0 mov eax, dword ptr fs:[00000030h] 3_2_01628AA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01628AA0 mov eax, dword ptr fs:[00000030h] 3_2_01628AA0
Source: C:\Users\user\Desktop\Bank swift.exe Code function: 3_2_01676AA4 mov eax, dword ptr fs:[00000030h] 3_2_01676AA4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078647E GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 5_2_0078647E
Source: C:\Users\user\Desktop\Bank swift.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078DCAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0078DCAA
Source: C:\Users\user\Desktop\Bank swift.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Bank swift.exe NtQueueApcThread: Indirect: 0x117A4F2 Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe NtClose: Indirect: 0x117A56C
Source: C:\Users\user\Desktop\Bank swift.exe Memory written: C:\Users\user\Desktop\Bank swift.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 1028 Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 780000 Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Process created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bank swift.exe" Jump to behavior
Source: explorer.exe, 00000004.00000002.4510303360.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2063341821.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.4501873324.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2049993282.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Source: C:\Windows\SysWOW64\cscript.exe Code function: GetUserDefaultLCID,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA, 5_2_0078AADC
Source: C:\Windows\SysWOW64\cscript.exe Code function: GetLocaleInfoW,wcsncmp, 5_2_00797E85
Source: C:\Windows\SysWOW64\cscript.exe Code function: GetLocaleInfoW, 5_2_0078AB35
Source: C:\Users\user\Desktop\Bank swift.exe Queries volume information: C:\Users\user\Desktop\Bank swift.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078DC00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 5_2_0078DC00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_00787490 RegOpenKeyExW,RegOpenKeyExW,SysFreeString,RegCloseKey,RegCloseKey,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,RegOpenKeyExA,GetLastError,RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource, 5_2_00787490
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078A9C0 InitializeCriticalSection,GetVersionExA, 5_2_0078A9C0
Source: C:\Users\user\Desktop\Bank swift.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_00795880 CreateBindCtx,MkParseDisplayName, 5_2_00795880
Source: C:\Windows\SysWOW64\cscript.exe Code function: 5_2_0078CD6C CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx, 5_2_0078CD6C
No contacted IP infos