Windows Analysis Report
Swift_Copy.scr

Overview

General Information

Sample name: Swift_Copy.scr
Analysis ID: 1430207
MD5: a474ccda551682dcb92efe1402dd02cb
SHA1: 6a147a094a142d0ddf04c97b6b74626be611c189
SHA256: 1680d6ff15e6c5b4a4098b88073646bb4cff58b6c51a916bed32401b02a64a6b
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.sigmamotorspk.com", "Username": "khiro@sigmamotorspk.com", "Password": "zarbeazab1234"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Virustotal: Detection: 45% Perma Link
Multi AV Scanner detection for submitted file
Source: Swift_Copy.scr Virustotal: Detection: 45% Perma Link
Source: Swift_Copy.scr ReversingLabs: Detection: 70%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Swift_Copy.scr Joe Sandbox ML: detected
Uses 32bit PE files
Source: Swift_Copy.scr Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Swift_Copy.scr Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 4x nop then jmp 0AB1151Fh 0_2_0AB10CB4
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 4x nop then jmp 0EFF0C6Fh 8_2_0EFF03FD
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49709 -> 65.21.71.87:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49709 -> 65.21.71.87:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.sigmamotorspk.com
Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 00000007.00000002.2118653417.0000000002906000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3276330521.0000000002E56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.sigmamotorspk.com
Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Swift_Copy.scr, 00000000.00000002.2106668901.00000000033F6000.00000004.00000800.00020000.00000000.sdmp, WAuLmtFUmD.exe, 00000008.00000002.2135864386.00000000035B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.2118653417.0000000002906000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.3276330521.0000000002E56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sigmamotorspk.com
Source: Swift_Copy.scr, 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, WAuLmtFUmD.exe, 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Swift_Copy.scr, WAuLmtFUmD.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, NDL2m67zO.cs .Net Code: tKj

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: Swift_Copy.scr, Program.cs Large array initialization: : array initializer size 623286
Source: 0.2.Swift_Copy.scr.5f50000.11.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Detected potential crypto function
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_018ED93C 0_2_018ED93C
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0766D460 0_2_0766D460
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0766C4C8 0_2_0766C4C8
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0766C4B8 0_2_0766C4B8
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0766CE68 0_2_0766CE68
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0766CE78 0_2_0766CE78
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_07661EC0 0_2_07661EC0
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_07661EAF 0_2_07661EAF
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_07663E98 0_2_07663E98
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0766ACC8 0_2_0766ACC8
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_07667B90 0_2_07667B90
Source: C:\Users\user\Desktop\Swift_Copy.scr Code function: 0_2_0AB12BE0 0_2_0AB12BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DF9378 7_2_00DF9378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DF4A98 7_2_00DF4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DF9BF8 7_2_00DF9BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DFCEC0 7_2_00DFCEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DF3E80 7_2_00DF3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DF41C8 7_2_00DF41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD56F8 7_2_05DD56F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD0040 7_2_05DD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DDBD18 7_2_05DDBD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DDDD38 7_2_05DDDD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD8C04 7_2_05DD8C04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD3F68 7_2_05DD3F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD2AF8 7_2_05DD2AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD9AF8 7_2_05DD9AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD5018 7_2_05DD5018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_05DD3268 7_2_05DD3268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DFE06F 7_2_00DFE06F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00DF9BF3 7_2_00DF9BF3
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0154D93C 8_2_0154D93C
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_05841104 8_2_05841104
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_05841E40 8_2_05841E40
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0788A750 8_2_0788A750
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0788C398 8_2_0788C398
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0788D330 8_2_0788D330
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_07883E98 8_2_07883E98
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_07881EAF 8_2_07881EAF
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_07881EC0 8_2_07881EC0
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0788CD48 8_2_0788CD48
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0788AB98 8_2_0788AB98
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_07887B90 8_2_07887B90
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0EFF2470 8_2_0EFF2470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_01229378 12_2_01229378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_01229B38 12_2_01229B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_01224A98 12_2_01224A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_01223E80 12_2_01223E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0122CEC0 12_2_0122CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_012241C8 12_2_012241C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C56F8 12_2_062C56F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C3F68 12_2_062C3F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C8C04 12_2_062C8C04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062CDD38 12_2_062CDD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C2AF8 12_2_062C2AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C9AF8 12_2_062C9AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C0040 12_2_062C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062CBFD8 12_2_062CBFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C3268 12_2_062C3268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_062C5018 12_2_062C5018
PE / OLE file has an invalid certificate
Source: Swift_Copy.scr Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Swift_Copy.scr, 00000000.00000002.2108100860.0000000004D8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Swift_Copy.scr
Source: Swift_Copy.scr, 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamee4a58f0f-9f80-4bf8-83da-c8b835e59bd6.exe4 vs Swift_Copy.scr
Source: Swift_Copy.scr, 00000000.00000002.2105660594.000000000167E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Swift_Copy.scr
Source: Swift_Copy.scr, 00000000.00000002.2106668901.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Swift_Copy.scr
Source: Swift_Copy.scr, 00000000.00000002.2110825783.0000000005F50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Swift_Copy.scr
Source: Swift_Copy.scr, 00000000.00000002.2106668901.00000000033F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamee4a58f0f-9f80-4bf8-83da-c8b835e59bd6.exe4 vs Swift_Copy.scr
Source: Swift_Copy.scr, 00000000.00000002.2112955026.000000000BBD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Swift_Copy.scr
Source: Swift_Copy.scr Binary or memory string: OriginalFilenameDwip.exeL vs Swift_Copy.scr
Uses 32bit PE files
Source: Swift_Copy.scr Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Swift_Copy.scr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WAuLmtFUmD.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, OTWUo99bfyR.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, Ui9qhZiA7.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, BqMB7yHhrXg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, rWUR7gJwO4M8XQmEUW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.cs Security API names: _0020.SetAccessControl
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winSCR@16/11@1/1
Source: C:\Users\user\Desktop\Swift_Copy.scr File created: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Mutant created: \Sessions\1\BaseNamedObjects\rlJOpRb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_03
Source: C:\Users\user\Desktop\Swift_Copy.scr File created: C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp Jump to behavior
Source: Swift_Copy.scr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Swift_Copy.scr Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Swift_Copy.scr File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WAuLmtFUmD.exe.0.dr Binary or memory string: select * from Cititor where email like @Nume and parola like @Parola;
Source: Swift_Copy.scr Virustotal: Detection: 45%
Source: Swift_Copy.scr ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\Swift_Copy.scr File read: C:\Users\user\Desktop\Swift_Copy.scr:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Swift_Copy.scr "C:\Users\user\Desktop\Swift_Copy.scr" /S
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Swift_Copy.scr File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Swift_Copy.scr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Swift_Copy.scr Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Swift_Copy.scr, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.cs .Net Code: E9vdbEksc9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Swift_Copy.scr.5f50000.11.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0584193B pushfd ; retf 8_2_05841941
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0788F88C push es; retf 8_2_0788F88F
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0EFF0CA9 push cs; retf 8_2_0EFF0CB8
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Code function: 8_2_0EFF3109 push esp; retf 8_2_0EFF3115
Source: Swift_Copy.scr Static PE information: section name: .text entropy: 7.876501523545841
Source: WAuLmtFUmD.exe.0.dr Static PE information: section name: .text entropy: 7.876501523545841
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, henXBbc3yZCYFXacjK.cs High entropy of concatenated method names: 'YlkWGtfh5G', 'dfKWrGZXWK', 'gdCPVwXoG7', 'jdiP7clQjO', 'HI0PoYaQDs', 'OmOPERVnT2', 'NVkPBwByRp', 'GCdPN9Os3l', 'FrrPmqEkVg', 'iQgPyALoyk'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, nZ6fwD6Co1KFKaRig4.cs High entropy of concatenated method names: 'rdrLTA1550', 'jKcLHA57oh', 'ggoLwK5CDI', 'G7rLPkv9gY', 'bgyLWfkLlA', 'h0kLMDuZ7h', 'ysdLCyPXP6', 'jGSL6KJuvW', 'syFLjrxL8y', 'cEBLZ9uGAS'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, QDgAGFdtSRBSfPJCn1.cs High entropy of concatenated method names: 'kcDtCWUR7g', 'gO4t6M8XQm', 'YSNtZpJg3I', 'RgbtUJWenX', 'tactljKSWV', 'YM9tIkQjm1', 'hu4lQCpMYAFeWjmvvh', 'GgkEA3SuvkxFSvH6dW', 'Dpqttbr1wj', 'UcvtL6NFpx'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, TdsFnktLAE0UIQL9Kll.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GohnAgcyGk', 'zUYn9B4Gl6', 'll3ngCIjIX', 'gdXnQ9noIi', 'HrbnpyerDA', 'b6yn3UbXe9', 'byHnsXGvJs'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, VY2TOGBjwktYJOiewv.cs High entropy of concatenated method names: 'EYXCHViqRH', 'n3oCPkVPYN', 'PohCMqWjwg', 'FG8Mq6DuGU', 'sOGMz090pE', 'HsBCv9djLX', 'afQCtRZovr', 'nASChQR5K3', 'A0ZCLrc8WH', 'bpbCdt2hic'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, S4xwiZ3nscacetp2TQ.cs High entropy of concatenated method names: 'veQY2D155r', 'rVSYq1IyrV', 'EUU0vsJbEp', 'MEx0tf9x9y', 'z7GYxvKo61', 'DIXYafbdrx', 'TOdY8Sg18O', 'J5RYADJwjZ', 'rsQY9S57wR', 'BOWYgHA1AF'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, U8qtcs8WquS83p5A01.cs High entropy of concatenated method names: 'kx4RJLdlJB', 'TI6RSnl4mv', 'iGgRuEhQP3', 'TTyRK59h2f', 'NQkR7GorQv', 'uaCRo9YP0j', 'OuqRBOXeX5', 'hKoRN6ThFW', 'L7NRywLmvJ', 'VLIRxP4XOc'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, EWVqM9ukQjm1kV60nE.cs High entropy of concatenated method names: 'ulEMTCyJ0l', 'cbyMwXiuKW', 'OOIMWbCdYI', 'K32MCn2blC', 'qVdM6l1NUT', 'DRfWp6oXDF', 'YVhW3fgmA9', 'SdoWsgDapb', 'HpEW2WLo2d', 'swrW5m4Fn4'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, K5DXy25lGX8JHc3F1Z.cs High entropy of concatenated method names: 'Q1i0uU4ELZ', 'W8X0K65x5u', 'ubr0VEmds7', 'tqH07iGYVA', 'y850A2Kb71', 'Pim0ondeTL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, x6J6dmtvU2KqcCPQUcW.cs High entropy of concatenated method names: 's3gDOsdmU0', 'Mf1DfhO9jL', 'OfrDbHdJew', 'mGjD1AD9ta', 'JMIDGnHGH1', 'pLwD4b9xid', 'KMCDr6iZB6', 'cPHDJHis7f', 'MWUDSSSJcg', 'yt5DcR93q5'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, UTGQOOw6OPjkFM2VKM.cs High entropy of concatenated method names: 'Dispose', 'df3t5pDVEJ', 'dabhKqCpq3', 'ztLXXaBGQC', 'asytqQdKok', 'Ps8tzedw2A', 'ProcessDialogKey', 'M4Ehv5DXy2', 'oGXht8JHc3', 'u1ZhhbWAq5'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, zWAq5ZqEQ70vicMem8.cs High entropy of concatenated method names: 'bDhDtAoRry', 'iXcDLgX2Qe', 'imuDduMKjS', 'iG1DHQ2VSY', 'SOEDwhl32R', 'aevDWe95Ms', 'qqtDM7pXRP', 'nZS0sfOeLf', 'Ghd02EIkBg', 'vtO05shurH'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, WyQdKo2k8s8edw2Am4.cs High entropy of concatenated method names: 'M5g0HvY5Jo', 'P1y0wUDnbU', 'dvk0PY4doH', 'xsm0WEsB4m', 'w5C0M4E7af', 'ATu0C1oETt', 'BJO06NNoYU', 'Bf90jEPu19', 'TsR0Zf77AT', 'mLW0UJqqnK'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, kS3cTkm997BAqLLlhG.cs High entropy of concatenated method names: 'e68COBJJxb', 'kC3CfvZFui', 't32CbCClLD', 'sjoC1cRVrW', 'NldCGwbZhV', 'DPJC4rygJW', 'mB3CrLWMNh', 'B1aCJkFNYR', 'AjNCSruWK7', 'lvcCcSuOPd'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, kATSQ5QhDPFqb6YBF3.cs High entropy of concatenated method names: 'r4QYZAgOol', 'gWNYUaeFdD', 'ToString', 'dj0YHq3pKn', 'gcDYwZ0jHv', 'k26YPGQ3sV', 'mFvYWApjp9', 'BJpYMYhfEW', 'AhPYCXHfrX', 'o3FY66pJiQ'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, bMka7RhLoveaww4eV3.cs High entropy of concatenated method names: 'GdnbjhwsX', 'dli1qWP5J', 'dsD4hJJmH', 'DWZrgNwAm', 'eyLS3Osvu', 'jAic3HqgA', 'QBu22ubrL98C9t5CUw', 'xnDoEsyvAbqrxhFHnl', 'hrBw6BMy96TUSrQg3Z', 'LMH0vlYQ4'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, rWUR7gJwO4M8XQmEUW.cs High entropy of concatenated method names: 'iViwAdi0yR', 'OVgw9wGUd5', 'fHKwgwx6Xq', 'lAXwQYxnfT', 'dNQwp1sHUS', 'svNw34fj8n', 'zGgwsfBXp2', 'SYZw2kKApi', 'oCMw52Eq84', 'se4wqxusAZ'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, DVKBuqSSNpJg3IAgbJ.cs High entropy of concatenated method names: 'a9tP1EeW4Z', 'DfNP4C64Tj', 'AZwPJkEE2g', 'ebqPSNg5fL', 'q7TPljHZqk', 'SahPIjEEgK', 'XykPYdmksG', 'tNeP0TgUoJ', 'bPhPDBM7B9', 'vK2Pn5qVPT'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, Iy9Tgqz43IelUyKJXv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iyNDRBdeES', 'bXiDlraGku', 'AyZDIqLrBK', 'paODYKfrha', 'IKbD0OXnJ8', 'GrhDDtI1bQ', 'Os3Dn7lMW4'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, g6SGhFPhI7nejp3SeQ.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XWoh5HTlKu', 'b7Bhqplfcg', 'NEPhzF3uoi', 'E8QLvdVfP5', 'Gy1Lt5VRoG', 'wxWLhsTcFO', 'sbALLkDgwr', 'SREYO779iyUWS4XCsJ8'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, EvkiPGgVYGUxUYNOdZ.cs High entropy of concatenated method names: 'ToString', 'TZGIxAFmur', 'YVUIKhQ7Vm', 'L1UIVZZQCq', 'KUfI7jMNWw', 'EbqIok8YYt', 'h2PIEIv4dM', 'z5RIBJEBiB', 'y2HINVRIgW', 'JIlImJ1CXi'
Source: 0.2.Swift_Copy.scr.5011610.7.raw.unpack, iwtTH6AbfoWbx1OhVT.cs High entropy of concatenated method names: 'gVElySMNds', 'jLwlaxyBpQ', 't4wlACIiBD', 'K2hl9ktk1Q', 'fmFlKBlS96', 'IjklV8Kqcm', 'raBl7Geqts', 'LBWloLUxJb', 'kGIlEIKW2l', 'CBllB2Q3n5'
Drops PE files
Source: C:\Users\user\Desktop\Swift_Copy.scr File created: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: 18E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: 33B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: 53B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: 9330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: A330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: A530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: B530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: BC50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: 9330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: 1540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: 3330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: 18A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: 8B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: 9B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: 9D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: AD00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: B3F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: C3F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: D3F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Swift_Copy.scr Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7705 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1947 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 710 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1879 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7817 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Swift_Copy.scr TID: 4308 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe TID: 1772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Swift_Copy.scr Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99869 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99074 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98853 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99649 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99326 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99215 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98752 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98405 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98295 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98066 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97835 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97622 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97475 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97046 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96936 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96811 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96046 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95603 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93956 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.2124233403.0000000005BD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAN Miniport (Network Monitor)-QoS Packet Scheduler-0000-
Source: RegSvcs.exe, 0000000C.00000002.3284308297.00000000061EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:\bb
Source: C:\Users\user\Desktop\Swift_Copy.scr Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Swift_Copy.scr Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe"
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 652008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CFE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe" Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp7FF5.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WAuLmtFUmD" /XML "C:\Users\user\AppData\Local\Temp\tmp8D33.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Swift_Copy.scr Queries volume information: C:\Users\user\Desktop\Swift_Copy.scr VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Queries volume information: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WAuLmtFUmD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift_Copy.scr Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3276330521.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2118653417.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3276330521.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1276, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1276, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.50a5450.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.506aa30.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44510c0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44166a0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.50a5450.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44166a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift_Copy.scr.44510c0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WAuLmtFUmD.exe.506aa30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3276330521.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2113537992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2118653417.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3276330521.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2108100860.0000000004416000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2118653417.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2140171444.000000000506A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Swift_Copy.scr PID: 4592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WAuLmtFUmD.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1276, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430207 Sample: Swift_Copy.scr Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 38 mail.sigmamotorspk.com 2->38 40 sigmamotorspk.com 2->40 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 8 other signatures 2->50 8 Swift_Copy.scr 7 2->8         started        12 WAuLmtFUmD.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\WAuLmtFUmD.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp7FF5.tmp, XML 8->36 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 8->52 54 Writes to foreign memory regions 8->54 56 Allocates memory in foreign processes 8->56 58 Adds a directory exclusion to Windows Defender 8->58 14 RegSvcs.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 22 RegSvcs.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 42 sigmamotorspk.com 65.21.71.87, 49709, 49711, 587 CP-ASDE United States 14->42 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->66 68 Loading BitLocker PowerShell Module 18->68 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->70 72 Tries to steal Mail credentials (via file / registry access) 22->72 74 Tries to harvest and steal ftp login credentials 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 32 conhost.exe 24->32         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
65.21.71.87
 sigmamotorspk.com United States
199592 CP-ASDE false

Contacted Domains

Name IP Active
sigmamotorspk.com 65.21.71.87 true
mail.sigmamotorspk.com unknown unknown