Windows Analysis Report
SWIFT_09903094858577_900039388883-TRF.exe

Overview

General Information

Sample Name: SWIFT_09903094858577_900039388883-TRF.exe
Analysis ID: 635184
MD5: 02d6ac6ec4a12ebc4c1d9166b9fd0e86
SHA1: ef8b52fea288cc7bc4c7c486d50b84461d73e741
SHA256: 0cefce0036bdcae72d06ede18a35ae7d38ea378aef702c2bd67006670c19bbc1
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info2@obynnehhhan.com", "Password": "G$MUuYG3", "Host": "smtp.obynnehhhan.com"}
Multi AV Scanner detection for submitted file
Source: SWIFT_09903094858577_900039388883-TRF.exe ReversingLabs: Detection: 14%
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\qqnRZsIIHB\src\obj\x86\Debug\EndNoGCRegionSta.pdb source: SWIFT_09903094858577_900039388883-TRF.exe

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://PcwsIt.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383685174.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383533455.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.382882779.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.382936594.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383196986.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383385022.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383631334.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383173518.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383781752.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383835216.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383871610.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383237347.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383173518.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com(
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383196986.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.383237347.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.comXt
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388913948.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388626362.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389820126.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389238092.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389684405.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389302234.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comhe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389820126.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389238092.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389684405.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390043191.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389302234.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.I
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395905005.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394677111.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394982067.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394707605.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395764736.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394772042.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397528108.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396066018.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394876176.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395078050.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397361974.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395141278.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.398057554.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397833505.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397528108.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397767310.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397718379.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.398000159.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397361974.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394982067.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395078050.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394929133.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395141278.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397528108.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397361974.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsF
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395905005.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395764736.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397528108.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396066018.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397361974.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcomd
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395608625.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395905005.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394982067.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395764736.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396066018.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395078050.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397361974.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394929133.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395141278.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402687040.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403974726.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403082621.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402516805.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.come.comp
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comessed1
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395608625.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comituF
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394677111.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comiva
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402687040.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395905005.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403974726.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433768992.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396066018.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403082621.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.426144944.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402516805.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402687040.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403974726.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403082621.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402516805.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.commG
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402687040.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403974726.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.403082621.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.402516805.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395608625.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como:
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394707605.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comp
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395905005.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396066018.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397361974.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsief1
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395545730.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394982067.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394707605.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394772042.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394876176.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395374356.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395078050.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394929133.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395141278.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comto
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395269106.000000000594C000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394982067.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395078050.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394929133.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395186808.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.395141278.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comue
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388913948.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389046031.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388158710.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390541816.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390098278.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388486451.0000000005954000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387447964.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389820126.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387659026.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388003293.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390297847.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388127665.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387805345.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388262758.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389238092.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390448917.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389684405.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388626362.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390043191.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389302234.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387659026.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388003293.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388127665.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387805345.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387659026.0000000005950000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/J
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388913948.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389046031.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388158710.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390541816.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390098278.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388486451.0000000005954000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389820126.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387659026.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388003293.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390297847.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388127665.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387805345.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388262758.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389238092.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390448917.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389684405.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388626362.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390043191.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389302234.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn1
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387402518.0000000005954000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387364334.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnA
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387447964.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnY
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387402518.0000000005954000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.387364334.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-u
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399208506.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399402817.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.398838523.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399011827.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399208506.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399724789.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399485326.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399402817.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.398838523.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399852324.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399635918.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399011827.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmF
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399208506.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399724789.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399485326.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399402817.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.398838523.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399852324.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399635918.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.399011827.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmt
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386773432.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr-ey
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391890517.0000000005952000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392310176.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391968800.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391418072.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392079319.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392501520.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392126421.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/#
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393020597.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393125591.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392811435.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393244057.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392539140.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393322673.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394267414.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392940393.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394062624.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393528628.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393739621.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392310176.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391968800.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393973304.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394413188.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393838736.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392079319.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391890517.0000000005952000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.393020597.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392811435.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391890517.0000000005952000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392539140.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392940393.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392310176.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391968800.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392079319.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392501520.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392589542.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392126421.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/#
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391890517.0000000005952000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392310176.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391968800.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392079319.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392501520.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392126421.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391890517.0000000005952000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392310176.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391968800.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391418072.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392079319.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392501520.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392126421.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/k
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391418072.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/kh
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391176269.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391610173.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391418072.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391661961.000000000594F000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391256199.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391501258.0000000005950000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391418072.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/siv
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391176269.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391418072.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391256199.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/wa
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391890517.0000000005952000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391968800.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392079319.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392126421.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.391801811.0000000005952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386437076.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386318697.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396326776.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386578954.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386773432.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396188515.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.381817686.0000000005932000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.381817686.0000000005932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comn
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392243224.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392539140.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392310176.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392501520.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.392589542.0000000005953000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com-us
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386936635.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386989428.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.c
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386578954.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386936635.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386773432.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.krF
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386773432.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kra-e
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386578954.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386773432.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kra-es:
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.386773432.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.krk
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388188419.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comL
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388188419.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comg
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390098278.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390297847.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.390043191.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comic
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.388127665.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comx
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394493069.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394267414.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394062624.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.394413188.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.397005721.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.396726657.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.desiv
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389046031.000000000594B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.433941853.0000000006B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389046031.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnmR
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389046031.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnmbo#
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000003.389046031.000000000594B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.658758413.0000000002A28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SWIFT_09903094858577_900039388883-TRF.exe String found in binary or memory: https://github.com
Source: SWIFT_09903094858577_900039388883-TRF.exe String found in binary or memory: https://github.com/dcoetzee/plants-vs-zombies-user-file-editor
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432196435.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000000.423506540.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.7170000.9.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.7170000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000000.00000002.434440348.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
Source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3452, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
.NET source code contains very large array initializations
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.cs Large array initialization: .cctor: array initializer size 11778
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.cs Large array initialization: .cctor: array initializer size 11778
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.cs Large array initialization: .cctor: array initializer size 11778
Source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b06A21515u002dB589u002d4A9Cu002dA54Au002d22BA57400E29u007d/u0034CB1A907u002dEAC2u002d4C09u002d9297u002dEDA94E30EAD5.cs Large array initialization: .cctor: array initializer size 11778
Uses 32bit PE files
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.7170000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.7170000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000000.00000002.434440348.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3452, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 0_2_00474714 0_2_00474714
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 0_2_0274F071 0_2_0274F071
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 0_2_0274F080 0_2_0274F080
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 0_2_0274D65C 0_2_0274D65C
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00594714 5_2_00594714
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A60040 5_2_00A60040
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A6CBA0 5_2_00A6CBA0
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A64BF4 5_2_00A64BF4
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A63550 5_2_00A63550
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A69690 5_2_00A69690
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A6E0E8 5_2_00A6E0E8
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A6A980 5_2_00A6A980
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_028546A0 5_2_028546A0
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_0285D990 5_2_0285D990
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_02854690 5_2_02854690
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_028545B0 5_2_028545B0
Sample file is different than original file name gathered from version info
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000000.374685464.0000000000526000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEndNoGCRegionSta.exe" vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.434440348.0000000007170000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIVectorView.dllN vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.429866303.0000000002931000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432196435.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432196435.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameIVectorView.dllN vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.657614317.00000000007D8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000000.420038634.0000000000646000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEndNoGCRegionSta.exe" vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000000.424931359.0000000000438000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamexYhphEgZvlyOIRayjZxngr.exe4 vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000005.00000002.657913192.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe Binary or memory string: OriginalFilenameEndNoGCRegionSta.exe" vs SWIFT_09903094858577_900039388883-TRF.exe
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SWIFT_09903094858577_900039388883-TRF.exe ReversingLabs: Detection: 14%
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe "C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe"
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process created: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process created: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT_09903094858577_900039388883-TRF.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
Source: SWIFT_09903094858577_900039388883-TRF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: SWIFT_09903094858577_900039388883-TRF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\qqnRZsIIHB\src\obj\x86\Debug\EndNoGCRegionSta.pdb source: SWIFT_09903094858577_900039388883-TRF.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 0_2_0274BE00 pushad ; ret 0_2_0274BE01
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A67DD2 push 8BFFFFFFh; retf 5_2_00A67DD8
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00F1E38A push eax; ret 5_2_00F1E349
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00F1D95C push eax; ret 5_2_00F1D95D
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00F1E32B push eax; ret 5_2_00F1E349
Source: initial sample Static PE information: section name: .text entropy: 7.76139919747
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.429866303.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3980, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.429866303.0000000002931000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.429866303.0000000002931000.00000004.00000800.00020000.00000000.sdmp, SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe TID: 3996 Thread sleep time: -43731s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe TID: 6456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe TID: 6824 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe TID: 6824 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe TID: 6832 Thread sleep count: 2944 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe TID: 6832 Thread sleep count: 6873 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Window / User API: threadDelayed 2944 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Window / User API: threadDelayed 6873 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Thread delayed: delay time: 43731 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: SWIFT_09903094858577_900039388883-TRF.exe, 00000000.00000002.432038283.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Code function: 5_2_00A6C910 LdrInitializeThunk, 5_2_00A6C910
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Process created: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.423506540.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.424230467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.424900759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.422855293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.656994998.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.432196435.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.658784371.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3452, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SWIFT_09903094858577_900039388883-TRF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3452, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.2.SWIFT_09903094858577_900039388883-TRF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.SWIFT_09903094858577_900039388883-TRF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a42990.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a77fb0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT_09903094858577_900039388883-TRF.exe.3a0b570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.423506540.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.424230467.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.424900759.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.422855293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.656994998.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.432196435.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.658655626.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.658784371.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3980, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SWIFT_09903094858577_900039388883-TRF.exe PID: 3452, type: MEMORYSTR
windows-stand
No contacted IP infos