Windows Analysis Report
SWIFT copy.29112022.Pdf.exe

Overview

General Information

Sample Name: SWIFT copy.29112022.Pdf.exe
Analysis ID: 756157
MD5: 5f400bae896422a69db460a4507fd657
SHA1: e90b7c431d34b39bef8492de7fb987f51c3fb804
SHA256: d5de496be1535d0b8d9c8f57087e9ae2a26aaf7c33c2ddca65b3231dc3b2460b
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SWIFT copy.29112022.Pdf.exe ReversingLabs: Detection: 73%
Source: SWIFT copy.29112022.Pdf.exe Virustotal: Detection: 30% Perma Link
Machine Learning detection for sample
Source: SWIFT copy.29112022.Pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}
Uses 32bit PE files
Source: SWIFT copy.29112022.Pdf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SWIFT copy.29112022.Pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Veqz.pdb source: SWIFT copy.29112022.Pdf.exe

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://MBStZn.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257939001.0000000006113000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.A
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253632184.00000000060EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254664468.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254357438.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254571950.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255068805.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254516942.0000000006103000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254933421.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254150676.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254821011.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254466136.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254991909.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comams
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comand
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comce
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comcin
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comd
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comexc
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253804133.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comf
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comits
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comont
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253979663.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253819477.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253997155.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253836809.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253897098.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comsig
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255750448.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255693586.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253933848.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255516044.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256346314.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255262809.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256544652.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255635634.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255461197.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254664468.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253917497.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253857719.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254357438.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255970374.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255202145.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255320276.0000000006101000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254571950.0000000006108000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256649188.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comtig
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254256532.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254029297.0000000006105000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254070990.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254099387.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254150676.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254013548.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comw.m
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258138745.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259693042.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265884768.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257911788.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257560437.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257499785.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257336197.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257812332.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257867723.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257765651.0000000006113000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257891265.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257388371.0000000006112000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257305464.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html/
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257433913.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.257374815.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersZ
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265995122.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.266070435.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.265884768.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designerse
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258022793.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258138745.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersers
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258710516.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.258780346.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersh
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259946306.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259985359.0000000006105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersv
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comL.TTF
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comM95
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comW8
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comas
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcoma
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259471570.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.259380642.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comf9
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comionF
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.271326038.00000000060D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsiva
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.260416887.00000000060DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comttoF
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251283967.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com//w
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251323429.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comjat
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251323429.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251406146.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251283967.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comw.m
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253405708.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.ce
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253426143.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.ck;
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253357265.00000000060EA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253482553.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253482553.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/ei
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253366138.0000000006103000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253347704.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnf
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261645746.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261742667.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261645746.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261742667.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/M95
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261855251.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262337254.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261656122.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262264309.00000000060E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261586821.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261709013.0000000006104000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261757335.0000000006104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQ
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255536119.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255607455.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255481061.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255829393.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255925563.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.256145848.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255290205.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255391228.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255232174.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255536119.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255607455.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255481061.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/?9g
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255290205.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255391228.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255232174.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255439619.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/M95
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/W8
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Xx
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nf9
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/i9
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/W8
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i9
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254634935.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254794551.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254595717.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254429222.00000000060DA000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254860385.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254538096.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255031466.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255099459.00000000060DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/t9
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261855251.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261539461.00000000060DD000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262337254.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.261656122.00000000060E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.262264309.00000000060E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.UC
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comalv
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250578869.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comegr
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251160398.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250963346.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250995609.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251206432.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.251041022.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comof
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250629587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comria
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250782932.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250927671.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250846587.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250963346.00000000060EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.250995609.00000000060EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comu
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255401180.00000000060E6000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255308698.00000000060E6000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255250069.00000000060E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comf
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255282999.0000000006114000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.255224533.0000000006113000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comrm
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.254124405.00000000060E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comicf
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.290363546.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253689927.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000003.253689927.0000000006103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn=
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.521371650.00000000031F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT copy.29112022.Pdf.exe, 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SWIFT copy.29112022.Pdf.exe
.NET source code contains very large array initializations
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA23A83EAu002dA498u002d4AEFu002dBB16u002dCCD2EDE07471u007d/A33BCC3Du002d23D1u002d407Du002d9507u002d8DF915F9F7E3.cs Large array initialization: .cctor: array initializer size 11775
Uses 32bit PE files
Source: SWIFT copy.29112022.Pdf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_02E60798 0_2_02E60798
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_02E651B8 0_2_02E651B8
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_02E60789 0_2_02E60789
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_02E604E8 0_2_02E604E8
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_02E604F8 0_2_02E604F8
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_02E6856A 0_2_02E6856A
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_0552F0D0 0_2_0552F0D0
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_0552F0BF 0_2_0552F0BF
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_05524E94 0_2_05524E94
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_05526870 0_2_05526870
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_05526860 0_2_05526860
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_07992BE0 0_2_07992BE0
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_079E9688 0_2_079E9688
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_079E0006 0_2_079E0006
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_079E0040 0_2_079E0040
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_030146A0 1_2_030146A0
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_03014673 1_2_03014673
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_03014690 1_2_03014690
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_030145B0 1_2_030145B0
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_0301D980 1_2_0301D980
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_06426928 1_2_06426928
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_064294F8 1_2_064294F8
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_06427540 1_2_06427540
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_06426C70 1_2_06426C70
Sample file is different than original file name gathered from version info
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.272914164.0000000003061000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.273116142.00000000030A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrecision.dll6 vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.273116142.00000000030A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInspector.dllN vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.284983154.00000000043E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.514468515.0000000001158000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000000.269854347.0000000000438000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe Binary or memory string: OriginalFilenameVeqz.exe< vs SWIFT copy.29112022.Pdf.exe
Source: SWIFT copy.29112022.Pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SWIFT copy.29112022.Pdf.exe ReversingLabs: Detection: 73%
Source: SWIFT copy.29112022.Pdf.exe Virustotal: Detection: 30%
Source: SWIFT copy.29112022.Pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT copy.29112022.Pdf.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
Source: SWIFT copy.29112022.Pdf.exe, 00000001.00000002.521706336.000000000323E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SWIFT copy.29112022.Pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.cs Cryptographic APIs: 'CreateDecryptor'
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SWIFT copy.29112022.Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SWIFT copy.29112022.Pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SWIFT copy.29112022.Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Veqz.pdb source: SWIFT copy.29112022.Pdf.exe

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 0_2_0552FA40 push ecx; ret 0_2_0552FA55
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_0642A61F push es; iretd 1_2_0642A63C
Binary contains a suspicious time stamp
Source: SWIFT copy.29112022.Pdf.exe Static PE information: 0xCCE2C364 [Sun Dec 4 21:00:20 2078 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.826301761256588
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/m1DBkvhxrLDaHx1aXT.cs High entropy of concatenated method names: '.ctor', 'lAKyLsrRhI', 'sSxyIq1RUv', 'TIEyRgA8he', 'EDVyJvgQLA', 'cmMysasnQa', 'SUpyc1swaZ', 'sp1yfegApt', 'AXyyMY8Ym9', 'Vb8y7lJ0JH'
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/sgwhL7yPnX3HUGMulo.cs High entropy of concatenated method names: '.ctor', 'vufeSgEDN', 'd2PyZNpa8', 'X8g0whL7P', 'SX3UHUGMu', 'soBEio8ZQ', 'VLao7BuEs', 'jG9hvZuqc', 'S5IOiwHg0', 'zxOvTO6fq'
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/JDFqGQB9MWV7DxvSyy.cs High entropy of concatenated method names: 'UWnEXGFEt6', 'wywEu5nt55', 'tZnEFrY9Xk', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'Gk9brofdW3JVOyMxC0', 'D6VIZXhjRciYkY6W7W', 'oCSJ2HngYZuZZJ20K4', 'cuhv40Oh3jObu7a900'
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.cs High entropy of concatenated method names: '.cctor', 'zStkhPpmy9vIW', 's2iUV5ZbJu', 'cXxUrYOsWd', 'JofUHo9own', 'uo4UxdRRlV', 'XBKUAqwvx4', 'HJYUKiiDl2', 'unAUaf33N0', 'uxJUw6R1mw'
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 5772 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 6024 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 3092 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe TID: 5008 Thread sleep count: 9859 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Window / User API: threadDelayed 9859 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: SWIFT copy.29112022.Pdf.exe, 00000000.00000002.274800625.00000000032D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: SWIFT copy.29112022.Pdf.exe, vufSgEeDNU2PZNpa8F/R0cKBENTrE4ocpUnSE.cs Reference to suspicious API methods: ('iQMUDn1xkD', 'GetProcAddress@kernel32'), ('PGXUSgASJk', 'LoadLibrary@kernel32')
Source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Memory written: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Process created: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Code function: 1_2_06425D44 GetUserNameW, 1_2_06425D44

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.521412516.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SWIFT copy.29112022.Pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4724888.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.SWIFT copy.29112022.Pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.4759ea8.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SWIFT copy.29112022.Pdf.exe.46ed468.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.269625557.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.276283014.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287383086.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.521412516.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.520553295.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 5752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SWIFT copy.29112022.Pdf.exe PID: 6072, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756157 Sample: SWIFT copy.29112022.Pdf.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 15 Malicious sample detected (through community Yara rule) 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected AgentTesla 2->19 21 10 other signatures 2->21 6 SWIFT copy.29112022.Pdf.exe 3 2->6         started        process3 file4 13 C:\Users\...\SWIFT copy.29112022.Pdf.exe.log, ASCII 6->13 dropped 23 Injects a PE file into a foreign processes 6->23 10 SWIFT copy.29112022.Pdf.exe 2 6->10         started        signatures5 process6 signatures7 25 Tries to steal Mail credentials (via file / registry access) 10->25 27 Tries to harvest and steal browser information (history, passwords, etc) 10->27
No contacted IP infos