IOC Report
payment swift.exe

loading gif

Files

File Path
Type
Category
Malicious
payment swift.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment swift.exe.log
ASCII text, with CRLF line terminators
dropped
 malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
 malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier
ASCII text, with CRLF line terminators
modified
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WdFVsOe.exe.log
ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\payment swift.exe
C:\Users\user\Desktop\payment swift.exe
 malicious
C:\Users\user\Desktop\payment swift.exe
C:\Users\user\Desktop\payment swift.exe
 malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
"C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
 malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
"C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
 malicious
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
 malicious

URLs

Name
IP
Malicious
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
unknown
http://127.0.0.1:HTTP/1.1
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://www.fontbureau.com
unknown
http://www.fontbureau.com/designersG
unknown
https://sectigo.com/CPS0
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.founder.com.cn/cn/bThe
unknown
http://ocsp.sectigo.com09
unknown
http://www.fontbureau.com/designers?
unknown
http://host39.registrar-servers.com
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
unknown
http://www.tiro.com
unknown
http://www.fontbureau.com/designers
unknown
http://www.goodfont.co.kr
unknown
http://www.carterandcone.coml
unknown
http://www.sajatypeworks.com
unknown
http://www.typography.netD
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.galapagosdesign.com/staff/dennis.htm
unknown
http://fontfabrik.com
unknown
http://www.founder.com.cn/cn
unknown
https://D16a0atI7uWaj.comX
unknown
http://www.fontbureau.com/designers/frere-user.html
unknown
http://www.jiyu-kobo.co.jp/
unknown
http://kjkcOA.com
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
unknown
http://www.galapagosdesign.com/DPlease
unknown
http://www.fontbureau.com/designers8
unknown
http://www.fonts.com
unknown
http://www.sandoll.co.kr
unknown
https://D16a0atI7uWaj.com
unknown
http://www.urwpp.deDPlease
unknown
http://www.zhongyicts.com.cn
unknown
http://www.sakkal.com
unknown
http://crl.comor
unknown
There are 27 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
host39.registrar-servers.com
68.65.122.214

IPs

IP
Domain
Country
Malicious
68.65.122.214
host39.registrar-servers.com
United States

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WdFVsOe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
WdFVsOe

Memdumps

Base Address
Regiontype
Protect
Malicious
402000
remote allocation
page execute and read and write
 malicious
2655000
trusted library allocation
page read and write
 malicious
30D5000
trusted library allocation
page read and write
 malicious