Windows Analysis Report
payment swift.exe

Overview

General Information

Sample Name: payment swift.exe
Analysis ID: 755998
MD5: 0eb99950c8a30fee01ebfdaa33498b22
SHA1: 54557815e576ac70fcbcdfcb6765f3d2a2dff507
SHA256: 469dae2eed97bbfe08ae548308e77aedcd0795fb4b2b1abcdd1a0315fe1ff216
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: payment swift.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: payment swift.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.payment swift.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.payment swift.exe.4392240.6.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "host39.registrar-servers.com", "Username": "dickson@potashin.us", "Password": "*r4} Du LH n87G"}
Uses 32bit PE files
Source: payment swift.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: payment swift.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 68.65.122.214 68.65.122.214
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49695 -> 68.65.122.214:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49695 -> 68.65.122.214:587
Source: payment swift.exe, 00000001.00000002.570872866.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.569999847.0000000002841000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: payment swift.exe, 00000001.00000002.585869850.0000000006020000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comor
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.568309572.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://host39.registrar-servers.com
Source: WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kjkcOA.com
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.568309572.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com09
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: WdFVsOe.exe, 00000006.00000002.578885319.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579991612.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://D16a0atI7uWaj.com
Source: WdFVsOe.exe, 00000003.00000002.577583432.0000000002B6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.578885319.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://D16a0atI7uWaj.comX
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.568309572.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: payment swift.exe, 00000001.00000002.570872866.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.569999847.0000000002841000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: host39.registrar-servers.com
Creates a DirectInput object (often for capturing keystrokes)
Source: payment swift.exe, 00000000.00000002.314965866.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.WdFVsOe.exe.25e063c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment swift.exe.30605f0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 2.2.WdFVsOe.exe.25c2e6c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment swift.exe.3042e20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.313645910.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment swift.exe PID: 4460, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: payment swift.exe
.NET source code contains very large array initializations
Source: 1.0.payment swift.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0E0679B2u002d33DEu002d4D95u002d91A6u002dB53FD5CAAFFCu007d/C3E9AD79u002dA89Eu002d49B7u002dBD79u002dAAE98BEF935A.cs Large array initialization: .cctor: array initializer size 10947
Uses 32bit PE files
Source: payment swift.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.WdFVsOe.exe.25e063c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment swift.exe.30605f0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 2.2.WdFVsOe.exe.25c2e6c.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment swift.exe.3042e20.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.313645910.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment swift.exe PID: 4460, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\payment swift.exe Code function: 0_2_0146C164 0_2_0146C164
Source: C:\Users\user\Desktop\payment swift.exe Code function: 0_2_0146E5A2 0_2_0146E5A2
Source: C:\Users\user\Desktop\payment swift.exe Code function: 0_2_0146E5B0 0_2_0146E5B0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 0_2_07AC6EC0 0_2_07AC6EC0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 0_2_07AC0006 0_2_07AC0006
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_0290FAA0 1_2_0290FAA0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_02906CA2 1_2_02906CA2
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_0290BB27 1_2_0290BB27
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_05C6C550 1_2_05C6C550
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_05C6A088 1_2_05C6A088
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_05C6D2B0 1_2_05C6D2B0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_05C629F8 1_2_05C629F8
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_05C60910 1_2_05C60910
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_05C60040 1_2_05C60040
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06138EF0 1_2_06138EF0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_0613E778 1_2_0613E778
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06130040 1_2_06130040
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_0613B910 1_2_0613B910
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06138E8C 1_2_06138E8C
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06134758 1_2_06134758
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06131F88 1_2_06131F88
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_061369E0 1_2_061369E0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_061652A8 1_2_061652A8
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06166320 1_2_06166320
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06160040 1_2_06160040
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_0616BF48 1_2_0616BF48
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06165B98 1_2_06165B98
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_0616A7B1 1_2_0616A7B1
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 2_2_0243C164 2_2_0243C164
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 2_2_0243E5A2 2_2_0243E5A2
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 2_2_0243E5B0 2_2_0243E5B0
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 2_2_06B76EC0 2_2_06B76EC0
Sample file is different than original file name gathered from version info
Source: payment swift.exe, 00000000.00000002.320676583.0000000007820000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.314965866.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename249b56aa-023a-4323-a10f-63343cbc6341.exe4 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrecision.dll6 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInspector.dllN vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename249b56aa-023a-4323-a10f-63343cbc6341.exe4 vs payment swift.exe
Source: payment swift.exe, 00000000.00000000.297023516.0000000000B6A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebHnw.exeB vs payment swift.exe
Source: payment swift.exe, 00000001.00000002.564549054.0000000000B58000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs payment swift.exe
Source: payment swift.exe, 00000001.00000000.313798542.0000000000438000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename249b56aa-023a-4323-a10f-63343cbc6341.exe4 vs payment swift.exe
Source: payment swift.exe Binary or memory string: OriginalFilenamebHnw.exeB vs payment swift.exe
Source: payment swift.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WdFVsOe.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: payment swift.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\payment swift.exe File read: C:\Users\user\Desktop\payment swift.exe Jump to behavior
Source: payment swift.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payment swift.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe
Source: C:\Users\user\Desktop\payment swift.exe Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\Desktop\payment swift.exe Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment swift.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\payment swift.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment swift.exe.log Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe File created: C:\Users\user\AppData\Local\Temp\tmp13F9.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/4@3/1
Source: payment swift.exe, 00000000.00000000.296923534.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: payment swift.exe, 00000000.00000000.296923534.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: payment swift.exe, 00000000.00000000.296923534.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: payment swift.exe, 00000001.00000002.578471634.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.577540601.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.578850588.0000000002E47000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: payment swift.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\payment swift.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: payment swift.exe String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: payment swift.exe String found in binary or memory: Username:-AddusertextBoxUsernameCash
Source: 1.0.payment swift.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.payment swift.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\payment swift.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\payment swift.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: payment swift.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: payment swift.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\payment swift.exe Code function: 0_2_07AC35FB push eax; retf 0_2_07AC35FC
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06130040 push es; iretd 1_2_06130EB0
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_061344FD push es; retf 1_2_06134548
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06134141 push es; retf 1_2_061344FC
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06134549 push es; retf 1_2_06134594
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06133590 push es; retf 1_2_061344FC
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 2_2_06B735FB push eax; retf 2_2_06B735FC
Source: initial sample Static PE information: section name: .text entropy: 7.664774300353232
Source: initial sample Static PE information: section name: .text entropy: 7.664774300353232
Drops PE files
Source: C:\Users\user\Desktop\payment swift.exe File created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to dropped file
Source: C:\Users\user\Desktop\payment swift.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\payment swift.exe File opened: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 2.2.WdFVsOe.exe.25e063c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment swift.exe.30605f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.WdFVsOe.exe.25c2e6c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment swift.exe.3042e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.315807649.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.360649511.0000000002655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.360150897.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WdFVsOe.exe PID: 2460, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: payment swift.exe, 00000000.00000002.315807649.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360649511.0000000002655000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360150897.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387309784.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: payment swift.exe, 00000000.00000002.315807649.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360649511.0000000002655000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360150897.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387309784.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment swift.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment swift.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\payment swift.exe TID: 400 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 4832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5892 Thread sleep count: 9812 > 30 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99858s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99623s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99504s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99123s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98904s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98793s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98370s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -98015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97793s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900 Thread sleep time: -97109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3720 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 4920 Thread sleep count: 9817 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99602s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -99108s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98982s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98868s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98643s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98371s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -97998s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -97501s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -97360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -97202s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -97072s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -96515s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104 Thread sleep time: -96405s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5976 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1244 Thread sleep count: 9836 > 30
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99870s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99620s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99391s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -99043s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98523s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98185s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -97964s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -97856s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -97744s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -97637s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -97512s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248 Thread sleep time: -97344s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\payment swift.exe Window / User API: threadDelayed 9812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Window / User API: threadDelayed 9817 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Window / User API: threadDelayed 9836
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\payment swift.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment swift.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment swift.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\payment swift.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99858 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99732 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99623 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99504 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99344 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99123 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98904 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98793 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98657 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98370 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98264 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98124 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97793 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97468 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97356 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97218 Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Thread delayed: delay time: 97109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99719 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99602 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99108 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98982 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98868 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98643 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98500 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98371 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97998 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97501 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97360 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97202 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97072 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 96515 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 96405 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99870
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99750
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99620
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99500
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99391
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99265
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99043
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98523
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98185
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97964
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97856
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97744
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97637
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97512
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97344
Source: WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: WdFVsOe.exe, 00000004.00000002.387309784.00000000028A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\payment swift.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\payment swift.exe Code function: 1_2_06135110 LdrInitializeThunk, 1_2_06135110
Source: C:\Users\user\Desktop\payment swift.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\payment swift.exe Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Users\user\Desktop\payment swift.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to