Analysis Report SPECIALISED SWIFT.EXE

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: SPECIALISED SWIFT.EXE

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Avira: detection malicious, Label: HEUR/AGEN.1129504
Source: C:\Users\user\AppData\Roaming\VWIpnm.exe	Avira: detection malicious, Label: HEUR/AGEN.1129504

Found malware configuration

Source: 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "info@aluminatiglass.co.zaP@ssword123mail.aluminatiglass.co.za"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VWIpnm.exe	Virustotal: Detection: 55%			Perma Link
Source: C:\Users\user\AppData\Roaming\VWIpnm.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Virustotal: Detection: 55%			Perma Link
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: SPECIALISED SWIFT.EXE	Virustotal: Detection: 55%			Perma Link
Source: SPECIALISED SWIFT.EXE	ReversingLabs: Detection: 28%

Antivirus or Machine Learning detection for unpacked file

Source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 31.2.pGKuRU.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 31.0.pGKuRU.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: SPECIALISED SWIFT.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SPECIALISED SWIFT.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		0_2_02F49DA8
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		0_2_02F47D7C
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_05717D7C
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		22_2_05719DA8
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		23_2_050A7D55
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		23_2_050A7D7C
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		23_2_050A9DA8
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		23_2_050A9DEC
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]		23_2_050A9EA8

Networking:

URLs found in memory or binary data

Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.465914649.00000000033A1000.00000004.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: pGKuRU.exe, 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: pGKuRU.exe, 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp	String found in binary or memory: http://VgqbOm.com
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.288208402.0000000002F61000.00000004.00000001.sdmp, pGKuRU.exe, 00000016.00000002.442118608.00000000031BE000.00000004.00000001.sdmp, pGKuRU.exe, 00000017.00000002.466341118.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295470893.00000000087A0000.00000002.00000001.sdmp, pGKuRU.exe, 00000016.00000002.447615531.0000000008990000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.474212103.00000000082D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.290470119.0000000003F61000.00000004.00000001.sdmp, SPECIALISED SWIFT.EXE, 0000000E.00000000.286401273.0000000000402000.00000040.00000001.sdmp, pGKuRU.exe, 00000016.00000002.443548557.00000000049B1000.00000004.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.460180951.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.465914649.00000000033A1000.00000004.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: SPECIALISED SWIFT.EXE, 00000000.00000002.287774204.0000000001310000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b1158B9A3u002d17C0u002d4E34u002d8349u002d1C8248D4C1D2u007d/u003027C2683u002d8BD7u002d4A93u002dB240u002d5BA7E3714C82.cs	Large array initialization: .cctor: array initializer size 11915
Source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1158B9A3u002d17C0u002d4E34u002d8349u002d1C8248D4C1D2u007d/u003027C2683u002d8BD7u002d4A93u002dB240u002d5BA7E3714C82.cs	Large array initialization: .cctor: array initializer size 11915
Source: 31.2.pGKuRU.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1158B9A3u002d17C0u002d4E34u002d8349u002d1C8248D4C1D2u007d/u003027C2683u002d8BD7u002d4A93u002dB240u002d5BA7E3714C82.cs	Large array initialization: .cctor: array initializer size 11915
Source: 31.0.pGKuRU.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b1158B9A3u002d17C0u002d4E34u002d8349u002d1C8248D4C1D2u007d/u003027C2683u002d8BD7u002d4A93u002dB240u002d5BA7E3714C82.cs	Large array initialization: .cctor: array initializer size 11915

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F03AC NtQueryInformationProcess,		0_2_012F03AC
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F03A5 NtQueryInformationProcess,		0_2_012F03A5
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F6BB9 NtQueryInformationProcess,		0_2_012F6BB9
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F603AC NtQueryInformationProcess,		22_2_02F603AC
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F66BB9 NtQueryInformationProcess,		22_2_02F66BB9

Detected potential crypto function

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F3110		0_2_012F3110
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F2240		0_2_012F2240
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F7518		0_2_012F7518
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F0472		0_2_012F0472
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F17F0		0_2_012F17F0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5840		0_2_012F5840
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F0FC8		0_2_012F0FC8
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F6118		0_2_012F6118
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F51A0		0_2_012F51A0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5190		0_2_012F5190
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F3020		0_2_012F3020
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F60E9		0_2_012F60E9
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F53B0		0_2_012F53B0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F53C0		0_2_012F53C0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F750A		0_2_012F750A
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5648		0_2_012F5648
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5658		0_2_012F5658
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5B9F		0_2_012F5B9F
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5AE0		0_2_012F5AE0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F5AD1		0_2_012F5AD1
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F6DA0		0_2_012F6DA0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F0F28		0_2_012F0F28
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F3FA8		0_2_012F3FA8
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F3F99		0_2_012F3F99
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_02F452D4		0_2_02F452D4
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_02F472D0		0_2_02F472D0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_02F472C0		0_2_02F472C0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D2680		0_2_061D2680
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D0477		0_2_061D0477
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D2671		0_2_061D2671
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D5218		0_2_061D5218
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D282B		0_2_061D282B
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_019A46A0		14_2_019A46A0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_019A35C4		14_2_019A35C4
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_019A461C		14_2_019A461C
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_019A5390		14_2_019A5390
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_019AD980		14_2_019AD980
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F62240		22_2_02F62240
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F63110		22_2_02F63110
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F617F0		22_2_02F617F0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F60471		22_2_02F60471
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F67518		22_2_02F67518
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65840		22_2_02F65840
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F60FC8		22_2_02F60FC8
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F653C0		22_2_02F653C0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F653B0		22_2_02F653B0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F660E9		22_2_02F660E9
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F63020		22_2_02F63020
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F651A0		22_2_02F651A0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65190		22_2_02F65190
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F66118		22_2_02F66118
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65673		22_2_02F65673
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65658		22_2_02F65658
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65648		22_2_02F65648
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F67509		22_2_02F67509
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65AE0		22_2_02F65AE0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65AD1		22_2_02F65AD1
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F65B9F		22_2_02F65B9F
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F669D0		22_2_02F669D0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F63FA8		22_2_02F63FA8
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F63F99		22_2_02F63F99
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F60F28		22_2_02F60F28
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_02F66DA0		22_2_02F66DA0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_057172D0		22_2_057172D0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_057152D4		22_2_057152D4
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_057172C0		22_2_057172C0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C734C50		22_2_0C734C50
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C732680		22_2_0C732680
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C730040		22_2_0C730040
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C732671		22_2_0C732671
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C73282B		22_2_0C73282B
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C730007		22_2_0C730007
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C7350C9		22_2_0C7350C9
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C7302D8		22_2_0C7302D8
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_0C7302C9		22_2_0C7302C9
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 23_2_050A72C0		23_2_050A72C0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 23_2_050A72D0		23_2_050A72D0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 23_2_050A52D4		23_2_050A52D4
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 31_2_00F646A0		31_2_00F646A0
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 31_2_00F645B0		31_2_00F645B0

Sample file is different than original file name gathered from version info

Source: SPECIALISED SWIFT.EXE	Binary or memory string: OriginalFilename vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000000.194656984.0000000000B42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameKYod.exeF vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.288311951.0000000002FFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.288311951.0000000002FFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.288267227.0000000002FBF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamethTOnOkVNxNzMapcMnoXSbNbJU.exe4 vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.294160074.0000000005F30000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.292548205.0000000005520000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295066581.0000000006030000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.295066581.0000000006030000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.287774204.0000000001310000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE	Binary or memory string: OriginalFilename vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 0000000E.00000003.336009834.0000000006B91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKYod.exeF vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.460242852.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamethTOnOkVNxNzMapcMnoXSbNbJU.exe4 vs SPECIALISED SWIFT.EXE
Source: SPECIALISED SWIFT.EXE	Binary or memory string: OriginalFilenameKYod.exeF vs SPECIALISED SWIFT.EXE

Uses 32bit PE files

Source: SPECIALISED SWIFT.EXE

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: SPECIALISED SWIFT.EXE	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VWIpnm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: pGKuRU.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains calls to encryption/decryption functions

Source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 31.2.pGKuRU.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 31.2.pGKuRU.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/8@0/0

Creates files inside the user directory

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

File created: C:\Users\user\AppData\Roaming\VWIpnm.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_01
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Mutant created: \Sessions\1\BaseNamedObjects\gTndlTfWGB
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

File created: C:\Users\user\AppData\Local\Temp\tmp551C.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: SPECIALISED SWIFT.EXE

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Reads ini files

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: SPECIALISED SWIFT.EXE	Virustotal: Detection: 55%
Source: SPECIALISED SWIFT.EXE	ReversingLabs: Detection: 28%

Sample reads its own file content

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

File read: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE 'C:\Users\user\Desktop\SPECIALISED SWIFT.EXE'
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp551C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process created: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe 'C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe 'C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe'
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp74D4.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp551C.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process created: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp74D4.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: SPECIALISED SWIFT.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SPECIALISED SWIFT.EXE

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_00B4538C push 3861D9A0h; ret		0_2_00B4539C
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F658D push esp; retf		0_2_012F6594
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_012F9D05 push edx; retf 006Ch		0_2_012F9CE7
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D182A push es; retf		0_2_061D18A0
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 0_2_061D18A1 push es; iretd		0_2_061D18AC
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_00E2538C push 3861D9A0h; ret		14_2_00E2539C
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_018CE333 push eax; ret		14_2_018CE349
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Code function: 14_2_018CD95C push eax; ret		14_2_018CD95D
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 22_2_00D8538C push 3861D9A0h; ret		22_2_00D8539C
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 23_2_005F538C push 3861D9A0h; ret		23_2_005F539C
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 31_2_0086538C push 3861D9A0h; ret		31_2_0086539C
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 31_2_00EBE28A push eax; ret		31_2_00EBE349
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Code function: 31_2_00EBD95C push eax; ret		31_2_00EBD95D

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.59382083636
Source: initial sample	Static PE information: section name: .text entropy: 7.59382083636
Source: initial sample	Static PE information: section name: .text entropy: 7.59382083636

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	File created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	File created: C:\Users\user\AppData\Roaming\VWIpnm.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp551C.tmp'

Creates an autostart registry key

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pGKuRU			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pGKuRU			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

File opened: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 1260, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIALISED SWIFT.EXE PID: 6044, type: MEMORY
Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 492, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe

Section loaded: OutputDebugStringW count: 147

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SPECIALISED SWIFT.EXE, 00000000.00000002.288255559.0000000002FBA000.00000004.00000001.sdmp, pGKuRU.exe, 00000016.00000002.442118608.00000000031BE000.00000004.00000001.sdmp, pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SPECIALISED SWIFT.EXE, 00000000.00000002.288255559.0000000002FBA000.00000004.00000001.sdmp, pGKuRU.exe, 00000016.00000002.442118608.00000000031BE000.00000004.00000001.sdmp, pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Window / User API: threadDelayed 8471			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Window / User API: threadDelayed 1382			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE TID: 1844	Thread sleep time: -44000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE TID: 1564	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE TID: 4548	Thread sleep time: -13835058055282155s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE TID: 4556	Thread sleep count: 8471 > 30			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE TID: 4556	Thread sleep count: 1382 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 404	Thread sleep time: -61000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 3984	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 8	Thread sleep count: 59 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 8	Thread sleep time: -59000s >= -30000s			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: pGKuRU.exe, 00000017.00000002.469113349.0000000002FCB000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Queries a list of all running processes

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Memory written: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Memory written: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp551C.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Process created: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VWIpnm' /XML 'C:\Users\user\AppData\Local\Temp\tmp74D4.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Process created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.465243987.0000000001DA0000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.465726974.0000000001560000.00000002.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.465949769.0000000001620000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.465243987.0000000001DA0000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.465726974.0000000001560000.00000002.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.465949769.0000000001620000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.465243987.0000000001DA0000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.465726974.0000000001560000.00000002.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.465949769.0000000001620000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SPECIALISED SWIFT.EXE, 0000000E.00000002.465243987.0000000001DA0000.00000002.00000001.sdmp, pGKuRU.exe, 00000017.00000002.465726974.0000000001560000.00000002.00000001.sdmp, pGKuRU.exe, 0000001F.00000002.465949769.0000000001620000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\SPECIALISED SWIFT.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0000001F.00000002.460180951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.286401273.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.438877169.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290470119.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.460242852.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.443548557.00000000049B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.471230731.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291001813.00000000040F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.41dd228.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.pGKuRU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.pGKuRU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 0000001F.00000002.460180951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.286401273.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.438877169.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290470119.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.460242852.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.443548557.00000000049B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.465914649.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.471230731.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291001813.00000000040F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 1260, type: MEMORY
Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 5252, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIALISED SWIFT.EXE PID: 6044, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIALISED SWIFT.EXE PID: 5048, type: MEMORY
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.41dd228.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.pGKuRU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.pGKuRU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.465914649.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 5252, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIALISED SWIFT.EXE PID: 5048, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0000001F.00000002.460180951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.286401273.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.438877169.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290470119.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.460242852.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.443548557.00000000049B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.471230731.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291001813.00000000040F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.41dd228.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.pGKuRU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.pGKuRU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 0000001F.00000002.460180951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.286401273.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.438877169.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290470119.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.460242852.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.443548557.00000000049B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.466469637.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.465914649.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.471230731.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.291001813.00000000040F6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 1260, type: MEMORY
Source: Yara match	File source: Process Memory Space: pGKuRU.exe PID: 5252, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIALISED SWIFT.EXE PID: 6044, type: MEMORY
Source: Yara match	File source: Process Memory Space: SPECIALISED SWIFT.EXE PID: 5048, type: MEMORY
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SPECIALISED SWIFT.EXE.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.pGKuRU.exe.455a0e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.41dd228.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SPECIALISED SWIFT.EXE.40296f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.pGKuRU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SPECIALISED SWIFT.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.pGKuRU.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.pGKuRU.exe.4a79c80.3.raw.unpack, type: UNPACKEDPE