Windows Analysis Report
SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe

Overview

General Information

Sample Name: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Analysis ID: 680484
MD5: 47b96215204bad8db8ce43a4685ee74c
SHA1: 6b5af0c13af653e5347e1b5e6a7f3bbecee257d5
SHA256: 613edebe9f20eff6958bc447fa000388c1b986e1cdb76930ca061d2c92fe952c
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Virustotal: Detection: 40% Perma Link
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe ReversingLabs: Detection: 46%
Yara detected FormBook
Source: Yara match File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.classicpretty.com/qkkr/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.classicpretty.com/qkkr/"], "decoy": ["7gCdEvi4PU1csVn41UdG95Ufy7SR", "3/kS/9ZgObTlShULwBM8", "UmkOiGYioBlRs12D06oGbv8X", "JHVcqPzZQM4=", "597t26RTZoSV64ak89Q0kUqhiRWZ", "EGeQhlYOeLg5jSU=", "uPMS7r10aXmis6FQ", "bBxVPrS1SNM=", "TGkjh14+21mDz2aAy6gGbv8X", "Jm3QiEjsOJLnDPGK/GhezP9J+w==", "nqvLrZVqboJ018dvX1tvKr8fy7SR", "6TLsXCjsdIRapiVFFW8QLq/Jpyz84bgt", "zAmlDcFiMH2BzqHdfrG10w==", "80byQOwlybg5jSU=", "7+wUCuhxEmJpdn22IQ==", "2BtALhSuf7+qDZLEoxy5YDqSQ7Y=", "Sl3pWETqy+UJZw==", "5O597tysPrbdIcfwRTbC6zqSQ7Y=", "jLnMq5lBKkZChXBmO5s=", "kYuyrH0QySmG5nu1XpW42Q==", "AVBMJBLacrg5jSU=", "A3EiigAN5iQV", "F/sA6K0zGK38TcjqqZf6a/EO", "mO3ly4UvKJ/lKazOfrG10w==", "g5r8xzg9f6x0bHBmO5s=", "/iOw+dqWvwIJZTvwt5b2X+QE", "VpOyflNVFjEf", "GXQWhGozhjmnBet72T7lWsEQ8w==", "rdYUAOqoZ7nfIslcROQt2fE=", "X2RvVx7e62F4x5E4CnV6WsEQ8w==", "0yCtNg7Wcrg5jSU=", "mbPTqHUVyhQpm3BmO5s=", "+kM7JyLOqy5x0YEX4FFtWsEQ8w==", "zzzpWjjD3j6BlWuc/uL7qEOX+qaI", "txIhBcxwTa3+XYzyzJUw2w==", "UVf1TAGb+4XmRb/87Vn5I6DHK9Gb", "NpNAvptlQJ8D2yU3Ft/6a/EO", "4w0O8uNWqzaZ6lNzR+Qt2fE=", "T0/XSzLua7BYvzw=", "AQCJ9bFtcX+S2KNXKQ==", "S6XAupU+A01SrXBmO5s=", "WJvBvpRANTlylxBBJRQj", "Roespn0fNnSis6FQ", "Zl5zgV8FJGthukV331t6WsEQ8w==", "yR+1GPuz6jBXvZc8CfH5tWXFZft+h3kl", "GEdYQw64y+UJZw==", "V1FZLCjxcvJZsZ5efrG10w==", "8xE8RCS8y+UJZw==", "gdDo2JE7Q8srfuoAw6z6a/EO", "ywKjBNd8tKn2FbvOfrG10w==", "MdAFl1EPS0heyzI=", "SZOLcznb1vDhGNuKX1F4F8r4lqQvvQ==", "8RIpGwG+nyBWdn22IQ==", "vxU/Ngu8y+UJZw==", "c5C7l14L4DFQdn22IQ==", "vAftT7Dd5+yadn22IQ==", "aLlEn2PsEmiis6FQ", "2yHKQhapTpn2LLNH", "vLhJvJ5k516vEb73TypG4pEfy7SR", "k+Hy17lycX+S2KNXKQ==", "0NHXxJo7WJqhGrDmvK36a/EO", "3tQjHQW5y+UJZw==", "Yu0MIIV4OYT2LLNH", "aK05uHh9U9cgfg=="]}
Uses 32bit PE files
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netstat.pdbGCTL source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netstat.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp

Networking
barindex
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Yara detected Generic Downloader
Source: Yara match File source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, type: SAMPLE
Source: Yara match File source: 15.2.NETSTAT.EXE.3a67a24.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.d10000.0.unpack, type: UNPACKEDPE
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.classicpretty.com/qkkr/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe String found in binary or memory: http://boards.4chan.org/b/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe String found in binary or memory: http://boards.4chan.org3Retrieving
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe String found in binary or memory: http://images.4chan.org/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.479690273.00000000071E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.thesnapnsipbottle.com

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 5260, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Uses 32bit PE files
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5032, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 5260, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 0_2_01803DC4 0_2_01803DC4
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 0_2_01808458 0_2_01808458
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B0D20 6_2_012B0D20
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D4120 6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BF900 6_2_012BF900
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01381D55 6_2_01381D55
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2581 6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CD5E0 6_2_012CD5E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C841F 6_2_012C841F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371002 6_2_01371002
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CB090 6_2_012CB090
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EEBB0 6_2_012EEBB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D6E30 6_2_012D6E30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: String function: 012BB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_012F9910
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9540 NtReadFile,LdrInitializeThunk, 6_2_012F9540
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F99A0 NtCreateSection,LdrInitializeThunk, 6_2_012F99A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F95D0 NtClose,LdrInitializeThunk, 6_2_012F95D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_012F9860
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9840 NtDelayExecution,LdrInitializeThunk, 6_2_012F9840
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F98F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_012F98F0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_012F9710
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_012F97A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_012F9780
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_012F9FE0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9A20 NtResumeThread,LdrInitializeThunk, 6_2_012F9A20
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_012F9A00
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_012F9660
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9A50 NtCreateFile,LdrInitializeThunk, 6_2_012F9A50
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_012F96E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9520 NtWaitForSingleObject, 6_2_012F9520
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012FAD30 NtSetContextThread, 6_2_012FAD30
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9560 NtWriteFile, 6_2_012F9560
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9950 NtQueueApcThread, 6_2_012F9950
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F95F0 NtQueryInformationFile, 6_2_012F95F0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F99D0 NtCreateProcessEx, 6_2_012F99D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9820 NtEnumerateKey, 6_2_012F9820
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012FB040 NtSuspendThread, 6_2_012FB040
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F98A0 NtWriteVirtualMemory, 6_2_012F98A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9730 NtQueryVirtualMemory, 6_2_012F9730
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9B00 NtSetValueKey, 6_2_012F9B00
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012FA710 NtOpenProcessToken, 6_2_012FA710
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9760 NtOpenProcess, 6_2_012F9760
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9770 NtSetInformationFile, 6_2_012F9770
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012FA770 NtOpenThread, 6_2_012FA770
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012FA3B0 NtGetContextThread, 6_2_012FA3B0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9A10 NtQuerySection, 6_2_012F9A10
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9610 NtEnumerateValueKey, 6_2_012F9610
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9670 NtQueryInformationProcess, 6_2_012F9670
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9650 NtQueryValueKey, 6_2_012F9650
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9A80 NtOpenDirectoryObject, 6_2_012F9A80
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F96D0 NtCreateKey, 6_2_012F96D0
Sample file is different than original file name gathered from version info
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.491093664.0000000007890000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.491770747.0000000007A10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.468118041.000000000333C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000000.415017725.0000000000DFB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameICryptoTransf.exe: vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.487937932.0000000007860000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000003.451204538.00000000076F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.465937869.0000000001217000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.634676757.00000000013AF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Binary or memory string: OriginalFilenameICryptoTransf.exe: vs SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
PE file contains strange resources
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Virustotal: Detection: 40%
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe ReversingLabs: Detection: 46%
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe "C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe"
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/1@1/0
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.cs Cryptographic APIs: 'TransformBlock'
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs Cryptographic APIs: 'TransformBlock'
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/frmMain.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netstat.pdbGCTL source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: netstat.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.631556804.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000003.464845740.00000000010F8000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000006.00000002.632184573.0000000001290000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.633709090.000000000064D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000003.630998523.00000000004A4000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000F.00000002.696035428.000000000352F000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, Scraper/frmMain.cs .Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0130D0D1 push ecx; ret 6_2_0130D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.5981105192888725

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\NETSTAT.EXE File deleted: c:\users\user\desktop\swift transfer (103) __037rtg2050822156____pdf__.exe Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe PID: 5860, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.467346210.00000000032FB000.00000004.00000800.00020000.00000000.sdmp, SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe TID: 5792 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe TID: 2884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F6DE6 rdtsc 6_2_012F6DE6
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe API coverage: 5.9 %
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.509018964.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000003.456658745.0000000007970000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: >bHgfs
Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.554128004.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.509899975.0000000007F8A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.545591194.0000000006915000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.554256507.00000000080B1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.509899975.0000000007F8A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe, 00000000.00000002.473127141.000000000354B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F6DE6 rdtsc 6_2_012F6DE6
Enables debug privileges
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0133A537 mov eax, dword ptr fs:[00000030h] 6_2_0133A537
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01388D34 mov eax, dword ptr fs:[00000030h] 6_2_01388D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h] 6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h] 6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h] 6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D4120 mov eax, dword ptr fs:[00000030h] 6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D4120 mov ecx, dword ptr fs:[00000030h] 6_2_012D4120
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E513A mov eax, dword ptr fs:[00000030h] 6_2_012E513A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E513A mov eax, dword ptr fs:[00000030h] 6_2_012E513A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h] 6_2_012E4D3B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h] 6_2_012E4D3B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E4D3B mov eax, dword ptr fs:[00000030h] 6_2_012E4D3B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C3D34 mov eax, dword ptr fs:[00000030h] 6_2_012C3D34
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BAD30 mov eax, dword ptr fs:[00000030h] 6_2_012BAD30
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h] 6_2_012B9100
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h] 6_2_012B9100
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9100 mov eax, dword ptr fs:[00000030h] 6_2_012B9100
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BC962 mov eax, dword ptr fs:[00000030h] 6_2_012BC962
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BB171 mov eax, dword ptr fs:[00000030h] 6_2_012BB171
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BB171 mov eax, dword ptr fs:[00000030h] 6_2_012BB171
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DC577 mov eax, dword ptr fs:[00000030h] 6_2_012DC577
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DC577 mov eax, dword ptr fs:[00000030h] 6_2_012DC577
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DB944 mov eax, dword ptr fs:[00000030h] 6_2_012DB944
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DB944 mov eax, dword ptr fs:[00000030h] 6_2_012DB944
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F3D43 mov eax, dword ptr fs:[00000030h] 6_2_012F3D43
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01333540 mov eax, dword ptr fs:[00000030h] 6_2_01333540
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D7D50 mov eax, dword ptr fs:[00000030h] 6_2_012D7D50
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h] 6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h] 6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h] 6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013351BE mov eax, dword ptr fs:[00000030h] 6_2_013351BE
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E61A0 mov eax, dword ptr fs:[00000030h] 6_2_012E61A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E61A0 mov eax, dword ptr fs:[00000030h] 6_2_012E61A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E35A1 mov eax, dword ptr fs:[00000030h] 6_2_012E35A1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013805AC mov eax, dword ptr fs:[00000030h] 6_2_013805AC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013805AC mov eax, dword ptr fs:[00000030h] 6_2_013805AC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013369A6 mov eax, dword ptr fs:[00000030h] 6_2_013369A6
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h] 6_2_012E1DB5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h] 6_2_012E1DB5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E1DB5 mov eax, dword ptr fs:[00000030h] 6_2_012E1DB5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h] 6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h] 6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h] 6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h] 6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B2D8A mov eax, dword ptr fs:[00000030h] 6_2_012B2D8A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EA185 mov eax, dword ptr fs:[00000030h] 6_2_012EA185
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DC182 mov eax, dword ptr fs:[00000030h] 6_2_012DC182
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h] 6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h] 6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h] 6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2581 mov eax, dword ptr fs:[00000030h] 6_2_012E2581
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EFD9B mov eax, dword ptr fs:[00000030h] 6_2_012EFD9B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EFD9B mov eax, dword ptr fs:[00000030h] 6_2_012EFD9B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2990 mov eax, dword ptr fs:[00000030h] 6_2_012E2990
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01368DF1 mov eax, dword ptr fs:[00000030h] 6_2_01368DF1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h] 6_2_012BB1E1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h] 6_2_012BB1E1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BB1E1 mov eax, dword ptr fs:[00000030h] 6_2_012BB1E1
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CD5E0 mov eax, dword ptr fs:[00000030h] 6_2_012CD5E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CD5E0 mov eax, dword ptr fs:[00000030h] 6_2_012CD5E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013441E8 mov eax, dword ptr fs:[00000030h] 6_2_013441E8
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h] 6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h] 6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h] 6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336DC9 mov ecx, dword ptr fs:[00000030h] 6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h] 6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336DC9 mov eax, dword ptr fs:[00000030h] 6_2_01336DC9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EBC2C mov eax, dword ptr fs:[00000030h] 6_2_012EBC2C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h] 6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h] 6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h] 6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h] 6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E002D mov eax, dword ptr fs:[00000030h] 6_2_012E002D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h] 6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h] 6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h] 6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CB02A mov eax, dword ptr fs:[00000030h] 6_2_012CB02A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01337016 mov eax, dword ptr fs:[00000030h] 6_2_01337016
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01337016 mov eax, dword ptr fs:[00000030h] 6_2_01337016
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01337016 mov eax, dword ptr fs:[00000030h] 6_2_01337016
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01384015 mov eax, dword ptr fs:[00000030h] 6_2_01384015
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01384015 mov eax, dword ptr fs:[00000030h] 6_2_01384015
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01371C06 mov eax, dword ptr fs:[00000030h] 6_2_01371C06
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0138740D mov eax, dword ptr fs:[00000030h] 6_2_0138740D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0138740D mov eax, dword ptr fs:[00000030h] 6_2_0138740D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0138740D mov eax, dword ptr fs:[00000030h] 6_2_0138740D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h] 6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h] 6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h] 6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336C0A mov eax, dword ptr fs:[00000030h] 6_2_01336C0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D746D mov eax, dword ptr fs:[00000030h] 6_2_012D746D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01372073 mov eax, dword ptr fs:[00000030h] 6_2_01372073
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01381074 mov eax, dword ptr fs:[00000030h] 6_2_01381074
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134C450 mov eax, dword ptr fs:[00000030h] 6_2_0134C450
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134C450 mov eax, dword ptr fs:[00000030h] 6_2_0134C450
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EA44B mov eax, dword ptr fs:[00000030h] 6_2_012EA44B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D0050 mov eax, dword ptr fs:[00000030h] 6_2_012D0050
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D0050 mov eax, dword ptr fs:[00000030h] 6_2_012D0050
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F90AF mov eax, dword ptr fs:[00000030h] 6_2_012F90AF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h] 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h] 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h] 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h] 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h] 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E20A0 mov eax, dword ptr fs:[00000030h] 6_2_012E20A0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EF0BF mov ecx, dword ptr fs:[00000030h] 6_2_012EF0BF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EF0BF mov eax, dword ptr fs:[00000030h] 6_2_012EF0BF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EF0BF mov eax, dword ptr fs:[00000030h] 6_2_012EF0BF
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9080 mov eax, dword ptr fs:[00000030h] 6_2_012B9080
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01333884 mov eax, dword ptr fs:[00000030h] 6_2_01333884
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01333884 mov eax, dword ptr fs:[00000030h] 6_2_01333884
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C849B mov eax, dword ptr fs:[00000030h] 6_2_012C849B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h] 6_2_01336CF0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h] 6_2_01336CF0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01336CF0 mov eax, dword ptr fs:[00000030h] 6_2_01336CF0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B58EC mov eax, dword ptr fs:[00000030h] 6_2_012B58EC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013714FB mov eax, dword ptr fs:[00000030h] 6_2_013714FB
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0134B8D0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01388CD6 mov eax, dword ptr fs:[00000030h] 6_2_01388CD6
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B4F2E mov eax, dword ptr fs:[00000030h] 6_2_012B4F2E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B4F2E mov eax, dword ptr fs:[00000030h] 6_2_012B4F2E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EE730 mov eax, dword ptr fs:[00000030h] 6_2_012EE730
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EA70E mov eax, dword ptr fs:[00000030h] 6_2_012EA70E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EA70E mov eax, dword ptr fs:[00000030h] 6_2_012EA70E
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134FF10 mov eax, dword ptr fs:[00000030h] 6_2_0134FF10
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134FF10 mov eax, dword ptr fs:[00000030h] 6_2_0134FF10
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0137131B mov eax, dword ptr fs:[00000030h] 6_2_0137131B
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0138070D mov eax, dword ptr fs:[00000030h] 6_2_0138070D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0138070D mov eax, dword ptr fs:[00000030h] 6_2_0138070D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DF716 mov eax, dword ptr fs:[00000030h] 6_2_012DF716
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BDB60 mov ecx, dword ptr fs:[00000030h] 6_2_012BDB60
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CFF60 mov eax, dword ptr fs:[00000030h] 6_2_012CFF60
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01388F6A mov eax, dword ptr fs:[00000030h] 6_2_01388F6A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E3B7A mov eax, dword ptr fs:[00000030h] 6_2_012E3B7A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E3B7A mov eax, dword ptr fs:[00000030h] 6_2_012E3B7A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01388B58 mov eax, dword ptr fs:[00000030h] 6_2_01388B58
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BDB40 mov eax, dword ptr fs:[00000030h] 6_2_012BDB40
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CEF40 mov eax, dword ptr fs:[00000030h] 6_2_012CEF40
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BF358 mov eax, dword ptr fs:[00000030h] 6_2_012BF358
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h] 6_2_012E4BAD
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h] 6_2_012E4BAD
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E4BAD mov eax, dword ptr fs:[00000030h] 6_2_012E4BAD
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01385BA5 mov eax, dword ptr fs:[00000030h] 6_2_01385BA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C1B8F mov eax, dword ptr fs:[00000030h] 6_2_012C1B8F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C1B8F mov eax, dword ptr fs:[00000030h] 6_2_012C1B8F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01337794 mov eax, dword ptr fs:[00000030h] 6_2_01337794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01337794 mov eax, dword ptr fs:[00000030h] 6_2_01337794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01337794 mov eax, dword ptr fs:[00000030h] 6_2_01337794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0136D380 mov ecx, dword ptr fs:[00000030h] 6_2_0136D380
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C8794 mov eax, dword ptr fs:[00000030h] 6_2_012C8794
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2397 mov eax, dword ptr fs:[00000030h] 6_2_012E2397
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0137138A mov eax, dword ptr fs:[00000030h] 6_2_0137138A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EB390 mov eax, dword ptr fs:[00000030h] 6_2_012EB390
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DDBE9 mov eax, dword ptr fs:[00000030h] 6_2_012DDBE9
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h] 6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h] 6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h] 6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h] 6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h] 6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E03E2 mov eax, dword ptr fs:[00000030h] 6_2_012E03E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F37F5 mov eax, dword ptr fs:[00000030h] 6_2_012F37F5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013353CA mov eax, dword ptr fs:[00000030h] 6_2_013353CA
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013353CA mov eax, dword ptr fs:[00000030h] 6_2_013353CA
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F4A2C mov eax, dword ptr fs:[00000030h] 6_2_012F4A2C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F4A2C mov eax, dword ptr fs:[00000030h] 6_2_012F4A2C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0136FE3F mov eax, dword ptr fs:[00000030h] 6_2_0136FE3F
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BE620 mov eax, dword ptr fs:[00000030h] 6_2_012BE620
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C8A0A mov eax, dword ptr fs:[00000030h] 6_2_012C8A0A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h] 6_2_012BC600
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h] 6_2_012BC600
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BC600 mov eax, dword ptr fs:[00000030h] 6_2_012BC600
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E8E00 mov eax, dword ptr fs:[00000030h] 6_2_012E8E00
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012D3A1C mov eax, dword ptr fs:[00000030h] 6_2_012D3A1C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EA61C mov eax, dword ptr fs:[00000030h] 6_2_012EA61C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EA61C mov eax, dword ptr fs:[00000030h] 6_2_012EA61C
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h] 6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B5210 mov ecx, dword ptr fs:[00000030h] 6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h] 6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B5210 mov eax, dword ptr fs:[00000030h] 6_2_012B5210
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BAA16 mov eax, dword ptr fs:[00000030h] 6_2_012BAA16
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012BAA16 mov eax, dword ptr fs:[00000030h] 6_2_012BAA16
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C766D mov eax, dword ptr fs:[00000030h] 6_2_012C766D
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F927A mov eax, dword ptr fs:[00000030h] 6_2_012F927A
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0136B260 mov eax, dword ptr fs:[00000030h] 6_2_0136B260
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0136B260 mov eax, dword ptr fs:[00000030h] 6_2_0136B260
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01388A62 mov eax, dword ptr fs:[00000030h] 6_2_01388A62
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h] 6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h] 6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h] 6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h] 6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012DAE73 mov eax, dword ptr fs:[00000030h] 6_2_012DAE73
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01344257 mov eax, dword ptr fs:[00000030h] 6_2_01344257
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h] 6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h] 6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h] 6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B9240 mov eax, dword ptr fs:[00000030h] 6_2_012B9240
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h] 6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h] 6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h] 6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h] 6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h] 6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C7E41 mov eax, dword ptr fs:[00000030h] 6_2_012C7E41
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h] 6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h] 6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h] 6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h] 6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012B52A5 mov eax, dword ptr fs:[00000030h] 6_2_012B52A5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_013346A7 mov eax, dword ptr fs:[00000030h] 6_2_013346A7
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CAAB0 mov eax, dword ptr fs:[00000030h] 6_2_012CAAB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012CAAB0 mov eax, dword ptr fs:[00000030h] 6_2_012CAAB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h] 6_2_01380EA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h] 6_2_01380EA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01380EA5 mov eax, dword ptr fs:[00000030h] 6_2_01380EA5
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012EFAB0 mov eax, dword ptr fs:[00000030h] 6_2_012EFAB0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0134FE87 mov eax, dword ptr fs:[00000030h] 6_2_0134FE87
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012ED294 mov eax, dword ptr fs:[00000030h] 6_2_012ED294
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012ED294 mov eax, dword ptr fs:[00000030h] 6_2_012ED294
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2AE4 mov eax, dword ptr fs:[00000030h] 6_2_012E2AE4
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E16E0 mov ecx, dword ptr fs:[00000030h] 6_2_012E16E0
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012C76E2 mov eax, dword ptr fs:[00000030h] 6_2_012C76E2
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E36CC mov eax, dword ptr fs:[00000030h] 6_2_012E36CC
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012E2ACB mov eax, dword ptr fs:[00000030h] 6_2_012E2ACB
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F8EC7 mov eax, dword ptr fs:[00000030h] 6_2_012F8EC7
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_01388ED6 mov eax, dword ptr fs:[00000030h] 6_2_01388ED6
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_0136FEC0 mov eax, dword ptr fs:[00000030h] 6_2_0136FEC0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Code function: 6_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_012F9910
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 90000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Memory written: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 684 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Process created: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Jump to behavior
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.497150687.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.597068063.0000000006100000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.586731988.0000000000E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.661066106.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000007.00000000.540451282.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.474229294.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.661066106.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe.436db18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.607026478.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.460111933.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.689373847.0000000000110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.474529782.000000000436D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693653140.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.566602114.000000000DE02000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.693445198.0000000002F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680484 Sample: SWIFT Transfer (103) __037R... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 24 www.thesnapnsipbottle.com 2->24 26 shops.myshopify.com 2->26 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 8 other signatures 2->36 9 SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe 3 2->9         started        signatures3 process4 file5 22 SWIFT Transfer (10...56____Pdf__.exe.log, ASCII 9->22 dropped 44 Injects a PE file into a foreign processes 9->44 13 SWIFT Transfer (103) __037RTG2050822156____Pdf__.exe 9->13         started        signatures6 process7 signatures8 46 Modifies the context of a thread in another process (thread injection) 13->46 48 Maps a DLL or memory area into another process 13->48 50 Sample uses process hollowing technique 13->50 52 Queues an APC in another process (thread injection) 13->52 16 explorer.exe 3 13->16 injected process9 signatures10 28 Uses netstat to query active network connections and open ports 16->28 19 NETSTAT.EXE 16->19         started        process11 signatures12 38 Deletes itself after installation 19->38 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42
No contacted IP infos

Contacted Domains

Name IP Active
shops.myshopify.com 23.227.38.74 true
www.thesnapnsipbottle.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.classicpretty.com/qkkr/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 low