Windows Analysis Report
payment swift.exe

Overview

General Information

Sample Name:	payment swift.exe
Analysis ID:	755998
MD5:	0eb99950c8a30fee01ebfdaa33498b22
SHA1:	54557815e576ac70fcbcdfcb6765f3d2a2dff507
SHA256:	469dae2eed97bbfe08ae548308e77aedcd0795fb4b2b1abcdd1a0315fe1ff216
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Found evasive API chain (may stop execution after accessing registry keys)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: payment swift.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: payment swift.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.payment swift.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.payment swift.exe.4392240.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "host39.registrar-servers.com", "Username": "dickson@potashin.us", "Password": "*r4} Du LH n87G"}

Uses 32bit PE files

Source: payment swift.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: payment swift.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 68.65.122.214 68.65.122.214

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 68.65.122.214:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 68.65.122.214:587

Source: payment swift.exe, 00000001.00000002.570872866.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.569999847.0000000002841000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: payment swift.exe, 00000001.00000002.585869850.0000000006020000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comor
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.568309572.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://host39.registrar-servers.com
Source: WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kjkcOA.com
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.568309572.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com09
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: payment swift.exe, 00000000.00000002.319963745.0000000006F82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: WdFVsOe.exe, 00000006.00000002.578885319.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579991612.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://D16a0atI7uWaj.com
Source: WdFVsOe.exe, 00000003.00000002.577583432.0000000002B6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.578885319.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://D16a0atI7uWaj.comX
Source: payment swift.exe, 00000001.00000002.568239695.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.568309572.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, payment swift.exe, 00000001.00000002.578503982.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.578453028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.587147691.0000000006360000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.579742937.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: payment swift.exe, 00000001.00000002.570872866.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.569999847.0000000002841000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: host39.registrar-servers.com

Creates a DirectInput object (often for capturing keystrokes)

Source: payment swift.exe, 00000000.00000002.314965866.0000000001240000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.WdFVsOe.exe.25e063c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment swift.exe.30605f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 2.2.WdFVsOe.exe.25c2e6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment swift.exe.3042e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.313645910.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment swift.exe PID: 4460, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: payment swift.exe

.NET source code contains very large array initializations

Source: 1.0.payment swift.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b0E0679B2u002d33DEu002d4D95u002d91A6u002dB53FD5CAAFFCu007d/C3E9AD79u002dA89Eu002d49B7u002dBD79u002dAAE98BEF935A.cs

Large array initialization: .cctor: array initializer size 10947

Uses 32bit PE files

Source: payment swift.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.WdFVsOe.exe.25e063c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment swift.exe.30605f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 2.2.WdFVsOe.exe.25c2e6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment swift.exe.3042e20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.313645910.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment swift.exe PID: 4460, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Detected potential crypto function

Source: C:\Users\user\Desktop\payment swift.exe	Code function: 0_2_0146C164	0_2_0146C164
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 0_2_0146E5A2	0_2_0146E5A2
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 0_2_0146E5B0	0_2_0146E5B0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 0_2_07AC6EC0	0_2_07AC6EC0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 0_2_07AC0006	0_2_07AC0006
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_0290FAA0	1_2_0290FAA0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_02906CA2	1_2_02906CA2
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_0290BB27	1_2_0290BB27
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_05C6C550	1_2_05C6C550
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_05C6A088	1_2_05C6A088
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_05C6D2B0	1_2_05C6D2B0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_05C629F8	1_2_05C629F8
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_05C60910	1_2_05C60910
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_05C60040	1_2_05C60040
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06138EF0	1_2_06138EF0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_0613E778	1_2_0613E778
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06130040	1_2_06130040
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_0613B910	1_2_0613B910
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06138E8C	1_2_06138E8C
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06134758	1_2_06134758
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06131F88	1_2_06131F88
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_061369E0	1_2_061369E0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_061652A8	1_2_061652A8
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06166320	1_2_06166320
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06160040	1_2_06160040
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_0616BF48	1_2_0616BF48
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06165B98	1_2_06165B98
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_0616A7B1	1_2_0616A7B1
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 2_2_0243C164	2_2_0243C164
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 2_2_0243E5A2	2_2_0243E5A2
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 2_2_0243E5B0	2_2_0243E5B0
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 2_2_06B76EC0	2_2_06B76EC0

Sample file is different than original file name gathered from version info

Source: payment swift.exe, 00000000.00000002.320676583.0000000007820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.314965866.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename249b56aa-023a-4323-a10f-63343cbc6341.exe4 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs payment swift.exe
Source: payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename249b56aa-023a-4323-a10f-63343cbc6341.exe4 vs payment swift.exe
Source: payment swift.exe, 00000000.00000000.297023516.0000000000B6A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebHnw.exeB vs payment swift.exe
Source: payment swift.exe, 00000001.00000002.564549054.0000000000B58000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs payment swift.exe
Source: payment swift.exe, 00000001.00000000.313798542.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename249b56aa-023a-4323-a10f-63343cbc6341.exe4 vs payment swift.exe
Source: payment swift.exe	Binary or memory string: OriginalFilenamebHnw.exeB vs payment swift.exe

Source: payment swift.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WdFVsOe.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: payment swift.exe

ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\payment swift.exe

File read: C:\Users\user\Desktop\payment swift.exe

Source: unknown	Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe
Source: C:\Users\user\Desktop\payment swift.exe	Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\Desktop\payment swift.exe	Process created: C:\Users\user\Desktop\payment swift.exe C:\Users\user\Desktop\payment swift.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior

Source: C:\Users\user\Desktop\payment swift.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment swift.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: payment swift.exe, 00000000.00000000.296923534.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: payment swift.exe, 00000000.00000000.296923534.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: payment swift.exe, 00000000.00000000.296923534.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: payment swift.exe, 00000001.00000002.578471634.0000000002E6A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000003.00000002.577540601.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000006.00000002.578850588.0000000002E47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: payment swift.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\payment swift.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: payment swift.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: payment swift.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 1.0.payment swift.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.payment swift.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\payment swift.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\payment swift.exe	Code function: 0_2_07AC35FB push eax; retf	0_2_07AC35FC
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06130040 push es; iretd	1_2_06130EB0
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_061344FD push es; retf	1_2_06134548
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06134141 push es; retf	1_2_061344FC
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06134549 push es; retf	1_2_06134594
Source: C:\Users\user\Desktop\payment swift.exe	Code function: 1_2_06133590 push es; retf	1_2_061344FC
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 2_2_06B735FB push eax; retf	2_2_06B735FC

Source: initial sample	Static PE information: section name: .text entropy: 7.664774300353232
Source: initial sample	Static PE information: section name: .text entropy: 7.664774300353232

Source: C:\Users\user\Desktop\payment swift.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe			Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe			Jump to behavior

Source: Yara match	File source: 2.2.WdFVsOe.exe.25e063c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment swift.exe.30605f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.WdFVsOe.exe.25c2e6c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment swift.exe.3042e20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.315807649.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.360649511.0000000002655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.360150897.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 2460, type: MEMORYSTR

Source: payment swift.exe, 00000000.00000002.315807649.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360649511.0000000002655000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360150897.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387309784.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: payment swift.exe, 00000000.00000002.315807649.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, payment swift.exe, 00000000.00000002.315641125.0000000003021000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360649511.0000000002655000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000002.00000002.360150897.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387309784.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\payment swift.exe TID: 400	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 4832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5892	Thread sleep count: 9812 > 30	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99504s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99123s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98370s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe TID: 5900	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3720	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 4920	Thread sleep count: 9817 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99602s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -99108s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98868s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98643s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98371s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -97998s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -97501s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -97202s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -97072s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -96515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5104	Thread sleep time: -96405s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5976	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1244	Thread sleep count: 9836 > 30
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99870s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99620s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99391s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99265s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -99043s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98523s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98185s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -97964s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -97856s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -97744s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -97637s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -97512s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5248	Thread sleep time: -97344s >= -30000s

Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\payment swift.exe	Window / User API: threadDelayed 9812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Window / User API: threadDelayed 9817	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Window / User API: threadDelayed 9836

Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99858	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99732	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99623	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99504	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99123	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98904	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98793	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98370	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98264	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97793	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97356	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99602	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99108	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98982	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98868	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98643	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98371	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97501	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97072	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 96405	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99870
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99750
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99620
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99500
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99391
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99265
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99043
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98523
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98185
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97964
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97856
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97744
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97637
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97512
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97344

Source: WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: WdFVsOe.exe, 00000004.00000002.387309784.00000000028A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: WdFVsOe.exe, 00000004.00000002.387853297.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: Yara match	File source: 0.2.payment swift.exe.4392240.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.payment swift.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment swift.exe.42fe420.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment swift.exe.4392240.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment swift.exe.427e9d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.313645910.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.318247702.000000000427E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.570872866.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.571356587.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.569999847.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment swift.exe PID: 3100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: payment swift.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 4768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 1276, type: MEMORYSTR

Source: C:\Users\user\Desktop\payment swift.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\payment swift.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Windows Analysis Report payment swift.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
payment swift.exe

ID:	755998
Product:	CloudBasic
Start time:	13:26:11
Start date:	29.11.2022
Sample:	payment swift.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0eb99950c8a30fee01ebfdaa33498b22
SHA1:	54557815e576ac70fcbcdfcb6765f3d2a2dff507
SHA256:	469dae2eed97bbfe08ae548308e77aedcd0795fb4b2b1abcdd1a0315fe1ff216
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WdFVsOe.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment swift.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0EB99950C8A30FEE01EBFDAA33498B22	54557815E576AC70FCBCDFCB6765F3D2A2DFF507	469DAE2EED97BBFE08AE548308E77AEDCD0795FB4B2B1ABCDD1A0315FE1FF216
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309