Windows Analysis Report
COPIA DE PAGO SWIFT.exe

Overview

General Information

Sample name: COPIA DE PAGO SWIFT.exe
Analysis ID: 1426817
MD5: c17bf2429aa2d5762a183ddfa50e6b09
SHA1: 4a12f5318bbf2c8b5e6bc0cde4860fb6e1e1ea36
SHA256: d2771de5bfa94a9b82ebf960006227bdeb8367f719ded9e74de6fad8f0cbdc47
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.notarius.gr", "Username": "a.voulgaraki@notarius.gr", "Password": "25021989AB"}
Multi AV Scanner detection for submitted file
Source: COPIA DE PAGO SWIFT.exe ReversingLabs: Detection: 60%
Source: COPIA DE PAGO SWIFT.exe Virustotal: Detection: 35% Perma Link
Machine Learning detection for sample
Source: COPIA DE PAGO SWIFT.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: COPIA DE PAGO SWIFT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: COPIA DE PAGO SWIFT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 4x nop then jmp 0C1F012Eh 0_2_0C1F02F3
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 4x nop then jmp 0C1F012Eh 0_2_0C1F0AE8

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49708 -> 185.25.23.240:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: POINTERGR POINTERGR
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49708 -> 185.25.23.240:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.notarius.gr
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2557138643.00000000031C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.notarius.gr
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.0000000001356000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2557138643.00000000031C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0%
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.0000000001356000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2557138643.00000000031C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1352967571.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.000000000132E000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.0000000001356000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2560455299.0000000006B62000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2557138643.00000000031C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.000000000132E000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.0000000001356000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2560455299.0000000006B62000.00000004.00000020.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2557138643.00000000031C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1353799186.0000000004393000.00000004.00000800.00020000.00000000.sdmp, COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555583452.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, cPKWk.cs .Net Code: Bzyfxent
Source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, cPKWk.cs .Net Code: Bzyfxent

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.COPIA DE PAGO SWIFT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.COPIA DE PAGO SWIFT.exe.3179b80.4.raw.unpack, SQL.cs Large array initialization: : array initializer size 13797
Source: 0.2.COPIA DE PAGO SWIFT.exe.5d50000.12.raw.unpack, SQL.cs Large array initialization: : array initializer size 13797
Detected potential crypto function
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0179E574 0_2_0179E574
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_01794B01 0_2_01794B01
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_07367608 0_2_07367608
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736A555 0_2_0736A555
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736A558 0_2_0736A558
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736A120 0_2_0736A120
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736C190 0_2_0736C190
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736BD58 0_2_0736BD58
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736CB40 0_2_0736CB40
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_07361A08 0_2_07361A08
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_073619F7 0_2_073619F7
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0C1F2008 0_2_0C1F2008
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 6_2_017E9BEA 6_2_017E9BEA
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 6_2_017E4A98 6_2_017E4A98
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 6_2_017ECDB0 6_2_017ECDB0
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 6_2_017E3E80 6_2_017E3E80
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 6_2_017E41C8 6_2_017E41C8
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 6_2_017ED158 6_2_017ED158
Sample file is different than original file name gathered from version info
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1352967571.0000000003151000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1356154272.0000000005D50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1356487010.00000000073B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1353799186.0000000004393000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename73da3253-910f-4774-b481-9f3481dcac62.exe4 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1353799186.0000000004393000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1351015714.00000000012BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1352967571.00000000031A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename73da3253-910f-4774-b481-9f3481dcac62.exe4 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555718739.0000000000FC9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555583452.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename73da3253-910f-4774-b481-9f3481dcac62.exe4 vs COPIA DE PAGO SWIFT.exe
Source: COPIA DE PAGO SWIFT.exe Binary or memory string: OriginalFilenamePTof.exe4 vs COPIA DE PAGO SWIFT.exe
Uses 32bit PE files
Source: COPIA DE PAGO SWIFT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.COPIA DE PAGO SWIFT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: COPIA DE PAGO SWIFT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, WV76kGTkYMwrrWMZPR.cs Security API names: _0020.SetAccessControl
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, WV76kGTkYMwrrWMZPR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, WV76kGTkYMwrrWMZPR.cs Security API names: _0020.AddAccessRule
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, Y0kqZOxP0prc6JwhKk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, WV76kGTkYMwrrWMZPR.cs Security API names: _0020.SetAccessControl
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, WV76kGTkYMwrrWMZPR.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, WV76kGTkYMwrrWMZPR.cs Security API names: _0020.AddAccessRule
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, Y0kqZOxP0prc6JwhKk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/6@1/1
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COPIA DE PAGO SWIFT.exe.log Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Mutant created: NULL
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Mutant created: \Sessions\1\BaseNamedObjects\QWYPovhnPxdsmocGR
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nqeqj14.eaw.ps1 Jump to behavior
Source: COPIA DE PAGO SWIFT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: COPIA DE PAGO SWIFT.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: COPIA DE PAGO SWIFT.exe ReversingLabs: Detection: 60%
Source: COPIA DE PAGO SWIFT.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File read: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe"
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe"
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe"
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: COPIA DE PAGO SWIFT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: COPIA DE PAGO SWIFT.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: COPIA DE PAGO SWIFT.exe, Form1.cs .Net Code: InitializeComponent
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, WV76kGTkYMwrrWMZPR.cs .Net Code: FLvsteXRfB System.Reflection.Assembly.Load(byte[])
Source: 0.2.COPIA DE PAGO SWIFT.exe.3179b80.4.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.COPIA DE PAGO SWIFT.exe.5d50000.12.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, WV76kGTkYMwrrWMZPR.cs .Net Code: FLvsteXRfB System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C53C push ebx; retf 0_2_0578C542
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C509 push ebx; retf 0_2_0578C50A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C50B push ebx; retf 0_2_0578C512
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C77D push esp; retf 0_2_0578C78A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C78B push esp; retf 0_2_0578C792
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C6E0 push esp; retf 0_2_0578C78A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C6D1 push esp; retf 0_2_0578C6D2
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578A1E0 push esp; retf 0_2_0578A1E1
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_05788041 push ss; retf 0_2_05788042
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C3E1 push ebx; retf 0_2_0578C3E2
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C229 push eax; retf 0_2_0578C22A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CD61 push esi; retf 0_2_0578CD62
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CD63 push esi; retf 0_2_0578CD6A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CDA9 push edi; retf 0_2_0578CDAA
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CDAB push edi; retf 0_2_0578CDB2
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CC71 push esi; retf 0_2_0578CC72
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CC73 push esi; retf 0_2_0578CC7A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CC28 push esi; retf 0_2_0578CC2A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CC2B push esi; retf 0_2_0578CC32
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CE51 push edi; retf 0_2_0578CE52
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C9E8 push ebp; retf 0_2_0578C9F2
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C9B8 push ebp; retf 0_2_0578C9BA
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C9BB push ebp; retf 0_2_0578C9C2
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578C8F0 push esp; retf 0_2_0578C8F2
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CB17 push ebp; retf 0_2_0578CB1A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CB03 push ebp; retf 0_2_0578CB0A
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0578CBF9 push esi; retf 0_2_0578CBFA
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_05787770 push cs; retf 0_2_05787776
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_05789208 push esp; retf 0_2_05789209
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_0736B444 push ecx; retf 0_2_0736B493
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Code function: 0_2_073632D7 pushfd ; ret 0_2_073632DA
Source: COPIA DE PAGO SWIFT.exe Static PE information: section name: .text entropy: 7.963956972570338
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, wiV67hwWb3JpZXVd8h.cs High entropy of concatenated method names: 'Pr0eheR9MB', 'N5cegSMkb5', 'mFYE7022kD', 'l4jERUMbs6', 'snDENuHVeS', 'Gg0ECrTsw8', 'tk6EMhNlSy', 'xFDEUPLWhU', 'vMTEaV3W49', 'FWDErYFupB'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, VgodAGHBGW7UjxByLIX.cs High entropy of concatenated method names: 'ko0cFJAZfa', 'EMjcSTnaeJ', 'a7Zctv6B16', 'zPscVQgWfV', 'qAHchZdtdB', 'xIacxnBu5C', 'OQqcgFeYRT', 'pGZcfxlO7b', 'Bs6cwb3Enb', 'PGScPSxFxD'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, yVMhGLtKawYo6gpcKU.cs High entropy of concatenated method names: 'ToString', 'HqK3yqDeqo', 'GeU3JJRMCf', 'l6037b5r8w', 'lWd3RMZ5tF', 'Y2Z3NqPCHu', 'K563C2Z9Sq', 'WaT3Mrsbe3', 'JKn3Uw455b', 'gjL3aIcNBc'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, TXAaymkeQKF96miIIh.cs High entropy of concatenated method names: 'jtuTZA1IWg', 'MZOTi8N8px', 'a0STEQ61ml', 'pxmTeZJW40', 'IrqT2mgYv9', 'UwMTOcHos4', 'QHGTIyvxNA', 'rZCT19UJHI', 'guhTHvIlls', 'NAkTQ3UBFg'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, bmglciJ6QWd4e01Ph2.cs High entropy of concatenated method names: 'HhpmfgYb3X', 'r5smwst9PF', 'XfPmbQg7Wi', 'y7CmJHG4VO', 's1kmR33iuT', 'xCBmNiaMOP', 'SJYmMurnX1', 'h7SmUiKNny', 'bTCmrFspF7', 'rPYmymxlOA'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, ewr3jEIIuV17iTnEex.cs High entropy of concatenated method names: 'JWocqLACWf', 'xQxcAVfHJh', 'JM6csIVUXW', 'GfGcZYygrN', 'Jvtci6JdHT', 'cswceFHijP', 'NKPc2xYH75', 'XGUT0kwLCH', 'WWQTY72THw', 'UhxT40BtgI'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, Y0kqZOxP0prc6JwhKk.cs High entropy of concatenated method names: 'fcHiurqw9q', 'BL1iBkrVSf', 'G5nij1mb6w', 'c5MilQyOh3', 'QmEivT9F2r', 'NFjiDDUmbK', 'cLki0IFult', 'wlBiYxYs38', 'FsJi4oqVNw', 'Wcdidt3fJo'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, XscShiFaNyMb1r5VUv.cs High entropy of concatenated method names: 'z9NEVhNVI2', 'Ya9ExEtHAc', 'ylZEf5002y', 'IamEwb5Um3', 'oKfE9vZBuL', 'BcAE3ELHoX', 'AlXEnwMG4v', 'lsPETas1W0', 'OISEcUua98', 'THWE5yeu3t'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, YgUCUWSqR8TSMUJevY.cs High entropy of concatenated method names: 'cYntaXnYr', 'FtEVGqdGd', 'dqBxkgLQl', 'zEtgqrCJU', 'uGPwIqtN7', 'yo6PcnABF', 'YRrV93yAXb32QytMYK', 'YFMLIunNAP2ecuX3ft', 'QcMTopAUk', 'KAr5jvBPd'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, WV76kGTkYMwrrWMZPR.cs High entropy of concatenated method names: 'nagAWwIdua', 'uwNAZi9Gwx', 'S4DAit87SS', 'GWjAEa9WHD', 'yURAe3P4OX', 'x8MA2TAWpO', 'uiyAOyIeMK', 'e4KAIFY5cn', 'afJA1jOO27', 'Q9dAHbY0wA'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, qcL2oPz7ftIshJRep0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kiGcm9K14u', 'CUEc9rojAa', 'rX4c3wkSce', 'NG5cnAUtVw', 'awZcTv7nHM', 'xpNccRdxns', 'MLLc51baMc'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, j31TVHY4mr0OfJh8s1.cs High entropy of concatenated method names: 'OAW2WODvCC', 'Adx2iSVG2V', 'ySw2eNWLdh', 'ySP2Oy8dSr', 'prR2IKHOiC', 'iOdevOHIT0', 'R7jeD9rtd8', 'Bede0M4K2o', 'EdKeYd3VuC', 'uqye4NJYGu'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, zYE416MwuHJwjifA6i.cs High entropy of concatenated method names: 'LYHnYLPXjD', 'TXNndKePDJ', 'EfUTkShYP7', 'PXaTqPQ9Iu', 'ghsnymTE2H', 'NF9nKI7Wk2', 'YbMnXMq3Wy', 'c8anuYQ6oi', 'OBCnBigeBR', 'Q4hnjK6DlI'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, lYxW7oARmY5VljSsEJ.cs High entropy of concatenated method names: 'Dispose', 'g3Jq4bPq1D', 'UfS6JKfeCQ', 'EaFGG6d5gd', 'sdGqdImto9', 'CDwqzFcdTx', 'ProcessDialogKey', 'zON6kvvUde', 'LuB6qYTOxc', 'DGI66cSvNK'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, oXMRJZOupQopgiWmos.cs High entropy of concatenated method names: 'W3b9rukQ3t', 'H6E9KDisag', 'Tdc9u7lDHv', 'a0J9BwhVCv', 'H1o9JN5DbO', 'xjW97ZynXo', 'SJ69RR6lcx', 'RR79N7KIMB', 'HTW9CCrGDB', 'QTT9MgYWFV'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, MBlOSSUK8MFLvjXcLd.cs High entropy of concatenated method names: 'SXuOFw3jhx', 'tJ5OSI9cs7', 'gQkOtkHcYx', 'hiuOV4vq1w', 'sQKOhuEVWq', 'VYoOxRhK6N', 'CHOOgFI66s', 'USJOfeuHEY', 'Hq6OwMYXNb', 'Gp6OPdhoW4'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, FBWPZ9HlSLp0JOWehuN.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tHD5uuq1do', 'PjE5BaXQlk', 'lyp5jJOjWT', 'QJi5lJDBCG', 'YxW5vAyCRU', 'Lbb5DVqavS', 'G9y50fjH41'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, rgAMVdNjhaRgf5miji.cs High entropy of concatenated method names: 'xsIqOgEEH1', 'GqjqILqtRI', 'coPqHhHLuJ', 'A36qQyfM0A', 'Tagq9s011x', 'Wemq3ia6D5', 'xa3ZHiaUVA76E90dDW', 'BXEtXefRTNmaO3PVIA', 'kKrqqLm1gH', 'fNrqAHoQKy'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, wQlXod4v6Xc2slkNos.cs High entropy of concatenated method names: 'wMHOZ3qSUP', 'u3lOEXEfRf', 'Ds4O2rwFaY', 'EZu2dCTq6X', 'Erf2zUiMWV', 'mpJOksLZju', 'g9rOqorYVD', 'ihhO6cGrPN', 'awJOAFKxYS', 'jWHOsN1oLt'
Source: 0.2.COPIA DE PAGO SWIFT.exe.73b0000.15.raw.unpack, Q2hWVB0sWRfQ4N1idC.cs High entropy of concatenated method names: 'tEeTbDy2CS', 'nxsTJe6Ige', 'FKAT7sstus', 'oZiTRWN4OG', 'M4fTu1FYDN', 'M6ZTNNrZZo', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, wiV67hwWb3JpZXVd8h.cs High entropy of concatenated method names: 'Pr0eheR9MB', 'N5cegSMkb5', 'mFYE7022kD', 'l4jERUMbs6', 'snDENuHVeS', 'Gg0ECrTsw8', 'tk6EMhNlSy', 'xFDEUPLWhU', 'vMTEaV3W49', 'FWDErYFupB'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, VgodAGHBGW7UjxByLIX.cs High entropy of concatenated method names: 'ko0cFJAZfa', 'EMjcSTnaeJ', 'a7Zctv6B16', 'zPscVQgWfV', 'qAHchZdtdB', 'xIacxnBu5C', 'OQqcgFeYRT', 'pGZcfxlO7b', 'Bs6cwb3Enb', 'PGScPSxFxD'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, yVMhGLtKawYo6gpcKU.cs High entropy of concatenated method names: 'ToString', 'HqK3yqDeqo', 'GeU3JJRMCf', 'l6037b5r8w', 'lWd3RMZ5tF', 'Y2Z3NqPCHu', 'K563C2Z9Sq', 'WaT3Mrsbe3', 'JKn3Uw455b', 'gjL3aIcNBc'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, TXAaymkeQKF96miIIh.cs High entropy of concatenated method names: 'jtuTZA1IWg', 'MZOTi8N8px', 'a0STEQ61ml', 'pxmTeZJW40', 'IrqT2mgYv9', 'UwMTOcHos4', 'QHGTIyvxNA', 'rZCT19UJHI', 'guhTHvIlls', 'NAkTQ3UBFg'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, bmglciJ6QWd4e01Ph2.cs High entropy of concatenated method names: 'HhpmfgYb3X', 'r5smwst9PF', 'XfPmbQg7Wi', 'y7CmJHG4VO', 's1kmR33iuT', 'xCBmNiaMOP', 'SJYmMurnX1', 'h7SmUiKNny', 'bTCmrFspF7', 'rPYmymxlOA'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, ewr3jEIIuV17iTnEex.cs High entropy of concatenated method names: 'JWocqLACWf', 'xQxcAVfHJh', 'JM6csIVUXW', 'GfGcZYygrN', 'Jvtci6JdHT', 'cswceFHijP', 'NKPc2xYH75', 'XGUT0kwLCH', 'WWQTY72THw', 'UhxT40BtgI'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, Y0kqZOxP0prc6JwhKk.cs High entropy of concatenated method names: 'fcHiurqw9q', 'BL1iBkrVSf', 'G5nij1mb6w', 'c5MilQyOh3', 'QmEivT9F2r', 'NFjiDDUmbK', 'cLki0IFult', 'wlBiYxYs38', 'FsJi4oqVNw', 'Wcdidt3fJo'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, XscShiFaNyMb1r5VUv.cs High entropy of concatenated method names: 'z9NEVhNVI2', 'Ya9ExEtHAc', 'ylZEf5002y', 'IamEwb5Um3', 'oKfE9vZBuL', 'BcAE3ELHoX', 'AlXEnwMG4v', 'lsPETas1W0', 'OISEcUua98', 'THWE5yeu3t'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, YgUCUWSqR8TSMUJevY.cs High entropy of concatenated method names: 'cYntaXnYr', 'FtEVGqdGd', 'dqBxkgLQl', 'zEtgqrCJU', 'uGPwIqtN7', 'yo6PcnABF', 'YRrV93yAXb32QytMYK', 'YFMLIunNAP2ecuX3ft', 'QcMTopAUk', 'KAr5jvBPd'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, WV76kGTkYMwrrWMZPR.cs High entropy of concatenated method names: 'nagAWwIdua', 'uwNAZi9Gwx', 'S4DAit87SS', 'GWjAEa9WHD', 'yURAe3P4OX', 'x8MA2TAWpO', 'uiyAOyIeMK', 'e4KAIFY5cn', 'afJA1jOO27', 'Q9dAHbY0wA'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, qcL2oPz7ftIshJRep0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kiGcm9K14u', 'CUEc9rojAa', 'rX4c3wkSce', 'NG5cnAUtVw', 'awZcTv7nHM', 'xpNccRdxns', 'MLLc51baMc'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, j31TVHY4mr0OfJh8s1.cs High entropy of concatenated method names: 'OAW2WODvCC', 'Adx2iSVG2V', 'ySw2eNWLdh', 'ySP2Oy8dSr', 'prR2IKHOiC', 'iOdevOHIT0', 'R7jeD9rtd8', 'Bede0M4K2o', 'EdKeYd3VuC', 'uqye4NJYGu'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, zYE416MwuHJwjifA6i.cs High entropy of concatenated method names: 'LYHnYLPXjD', 'TXNndKePDJ', 'EfUTkShYP7', 'PXaTqPQ9Iu', 'ghsnymTE2H', 'NF9nKI7Wk2', 'YbMnXMq3Wy', 'c8anuYQ6oi', 'OBCnBigeBR', 'Q4hnjK6DlI'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, lYxW7oARmY5VljSsEJ.cs High entropy of concatenated method names: 'Dispose', 'g3Jq4bPq1D', 'UfS6JKfeCQ', 'EaFGG6d5gd', 'sdGqdImto9', 'CDwqzFcdTx', 'ProcessDialogKey', 'zON6kvvUde', 'LuB6qYTOxc', 'DGI66cSvNK'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, oXMRJZOupQopgiWmos.cs High entropy of concatenated method names: 'W3b9rukQ3t', 'H6E9KDisag', 'Tdc9u7lDHv', 'a0J9BwhVCv', 'H1o9JN5DbO', 'xjW97ZynXo', 'SJ69RR6lcx', 'RR79N7KIMB', 'HTW9CCrGDB', 'QTT9MgYWFV'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, MBlOSSUK8MFLvjXcLd.cs High entropy of concatenated method names: 'SXuOFw3jhx', 'tJ5OSI9cs7', 'gQkOtkHcYx', 'hiuOV4vq1w', 'sQKOhuEVWq', 'VYoOxRhK6N', 'CHOOgFI66s', 'USJOfeuHEY', 'Hq6OwMYXNb', 'Gp6OPdhoW4'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, FBWPZ9HlSLp0JOWehuN.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tHD5uuq1do', 'PjE5BaXQlk', 'lyp5jJOjWT', 'QJi5lJDBCG', 'YxW5vAyCRU', 'Lbb5DVqavS', 'G9y50fjH41'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, rgAMVdNjhaRgf5miji.cs High entropy of concatenated method names: 'xsIqOgEEH1', 'GqjqILqtRI', 'coPqHhHLuJ', 'A36qQyfM0A', 'Tagq9s011x', 'Wemq3ia6D5', 'xa3ZHiaUVA76E90dDW', 'BXEtXefRTNmaO3PVIA', 'kKrqqLm1gH', 'fNrqAHoQKy'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, wQlXod4v6Xc2slkNos.cs High entropy of concatenated method names: 'wMHOZ3qSUP', 'u3lOEXEfRf', 'Ds4O2rwFaY', 'EZu2dCTq6X', 'Erf2zUiMWV', 'mpJOksLZju', 'g9rOqorYVD', 'ihhO6cGrPN', 'awJOAFKxYS', 'jWHOsN1oLt'
Source: 0.2.COPIA DE PAGO SWIFT.exe.44b9490.11.raw.unpack, Q2hWVB0sWRfQ4N1idC.cs High entropy of concatenated method names: 'tEeTbDy2CS', 'nxsTJe6Ige', 'FKAT7sstus', 'oZiTRWN4OG', 'M4fTu1FYDN', 'M6ZTNNrZZo', 'Next', 'Next', 'Next', 'NextBytes'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7636, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 1790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 3150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 5150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 91B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 7440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: A1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: B1B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: 5170000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6392 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3286 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Window / User API: threadDelayed 1479 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Window / User API: threadDelayed 5592 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 7656 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8068 Thread sleep count: 1479 > 30 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8068 Thread sleep count: 5592 > 30 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98627s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -98063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -97063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -96141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe TID: 8060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99438 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98859 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98750 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98627 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98500 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98391 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98281 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98172 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 98063 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97953 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97844 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97734 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97625 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97516 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 97063 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96938 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96813 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96594 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96469 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96359 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96250 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 96141 Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: COPIA DE PAGO SWIFT.exe, 00000000.00000002.1351015714.000000000132A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: COPIA DE PAGO SWIFT.exe, 00000006.00000002.2555782846.0000000001356000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe"
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Memory written: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Process created: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe "C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.COPIA DE PAGO SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2557138643.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2557138643.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2555583452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2557138643.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1353799186.0000000004393000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7840, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\COPIA DE PAGO SWIFT.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.COPIA DE PAGO SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2555583452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2557138643.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1353799186.0000000004393000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7840, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.COPIA DE PAGO SWIFT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43cdcd8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.COPIA DE PAGO SWIFT.exe.43932b8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2557138643.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2557138643.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2555583452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2557138643.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1353799186.0000000004393000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: COPIA DE PAGO SWIFT.exe PID: 7840, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426817 Sample: COPIA DE PAGO SWIFT.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 21 mail.notarius.gr 2->21 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 10 other signatures 2->31 8 COPIA DE PAGO SWIFT.exe 4 2->8         started        signatures3 process4 signatures5 33 Adds a directory exclusion to Windows Defender 8->33 35 Injects a PE file into a foreign processes 8->35 11 COPIA DE PAGO SWIFT.exe 2 8->11         started        15 powershell.exe 23 8->15         started        17 COPIA DE PAGO SWIFT.exe 8->17         started        process6 dnsIp7 23 mail.notarius.gr 185.25.23.240, 49708, 587 POINTERGR Greece 11->23 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->37 39 Tries to steal Mail credentials (via file / registry access) 11->39 41 Tries to harvest and steal browser information (history, passwords, etc) 11->41 43 Loading BitLocker PowerShell Module 15->43 19 conhost.exe 15->19         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.25.23.240
 mail.notarius.gr Greece
209150 POINTERGR true

Contacted Domains

Name IP Active
mail.notarius.gr 185.25.23.240 true