Loading ...

Play interactive tourEdit tour

Analysis Report Swift_Copy.exe

Overview

General Information

Sample Name:Swift_Copy.exe
Analysis ID:383913
MD5:c53851f4f5da5ebaf1f67d3ab518478f
SHA1:ae74eadcb41c8662fc0ec8319bd8fdaabcf68631
SHA256:96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c
Tags:AgentTeslaexeSWIFT
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Swift_Copy.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\Swift_Copy.exe' MD5: C53851F4F5DA5EBAF1F67D3AB518478F)
    • schtasks.exe (PID: 5820 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Swift_Copy.exe (PID: 7084 cmdline: C:\Users\user\Desktop\Swift_Copy.exe MD5: C53851F4F5DA5EBAF1F67D3AB518478F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "result.package@yandex.ruBlessing123smtp.yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Swift_Copy.exe.3998308.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Swift_Copy.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Swift_Copy.exe.3998308.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Swift_Copy.exe.3ac7e48.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Scheduled temp file as task from temp locationShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift_Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift_Copy.exe, ParentProcessId: 7136, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp', ProcessId: 5820

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.Swift_Copy.exe.3998308.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "result.package@yandex.ruBlessing123smtp.yandex.ru"}
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: Swift_Copy.exeJoe Sandbox ML: detected
                    Source: 7.2.Swift_Copy.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: Swift_Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Swift_Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265A4C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265B9E8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265B9DB
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265A4B8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265A57C
                    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 77.88.21.158:587
                    Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 77.88.21.158:587
                    Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: http://Mjyucn.com
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                    Source: Swift_Copy.exe, 00000000.00000003.642112108.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                    Source: Swift_Copy.exe, 00000000.00000002.678282879.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                    Source: Swift_Copy.exe, 00000000.00000003.643926524.0000000000E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comM
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comX.
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcin
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comilyQWp
                    Source: Swift_Copy.exe, 00000000.00000003.644951493.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitsUPt
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmp, Swift_Copy.exe, 00000000.00000003.644951493.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comon
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compe
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comaC
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.comg
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Swift_Copy.exe, 00000000.00000003.643261904.0000000000E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: Swift_Copy.exe, 00000000.00000003.642823074.000000000590D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/1
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Swift_Copy.exe, 00000000.00000003.643087619.00000000058D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
                    Source: Swift_Copy.exe, 00000000.00000003.643329522.0000000000E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTC
                    Source: Swift_Copy.exe, 00000000.00000003.643087619.00000000058D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnby
                    Source: Swift_Copy.exe, 00000000.00000003.643240184.00000000058D9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
                    Source: Swift_Copy.exe, 00000000.00000003.650192233.0000000005915000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: Swift_Copy.exe, 00000000.00000003.650192233.0000000005915000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/A
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmp, Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-d5
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krK
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Swift_Copy.exe, 00000000.00000003.650087675.0000000005915000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-d
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.908373362.0000000003439000.00000004.00000001.sdmpString found in binary or memory: https://4NZrCGMkBwFxC.org
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: Swift_Copy.exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                    Source: Swift_Copy.exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                    Source: Swift_Copy.exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                    Source: Swift_Copy.exe, 00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary:

                    barindex
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_00402D410_2_00402D41
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02651B300_2_02651B30
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026560A00_2_026560A0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026559380_2_02655938
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026509AA0_2_026509AA
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026567080_2_02656708
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265ACC80_2_0265ACC8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026575080_2_02657508
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02658DB20_2_02658DB2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02656AA10_2_02656AA1
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02651B1F0_2_02651B1F
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026520680_2_02652068
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026520570_2_02652057
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265609E0_2_0265609E
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026571480_2_02657148
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265592B0_2_0265592B
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026571390_2_02657139
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026509CC0_2_026509CC
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026566F80_2_026566F8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265773D0_2_0265773D
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026577D00_2_026577D0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026577BF0_2_026577BF
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026577890_2_02657789
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026574F80_2_026574F8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02650D7F0_2_02650D7F
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026535300_2_02653530
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026535380_2_02653538
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02650D900_2_02650D90
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027F94A80_2_027F94A8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FDCF40_2_027FDCF4
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FE2180_2_027FE218
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FC3A00_2_027FC3A0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FA7480_2_027FA748
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_00C220507_2_00C22050
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01482D507_2_01482D50
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_014820207_2_01482020
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_014826187_2_01482618
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0148BAA87_2_0148BAA8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01489DB87_2_01489DB8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150D5407_2_0150D540
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01505DC07_2_01505DC0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015030487_2_01503048
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015000607_2_01500060
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015094207_2_01509420
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150A0C87_2_0150A0C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150BB607_2_0150BB60
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150F3A27_2_0150F3A2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150DDC07_2_0150DDC0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015094107_2_01509410
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015076507_2_01507650
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015076407_2_01507640
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015247607_2_01524760
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015227C87_2_015227C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01528F907_2_01528F90
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015223807_2_01522380
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152AEE87_2_0152AEE8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015231797_2_01523179
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015235087_2_01523508
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015235387_2_01523538
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015269C07_2_015269C0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152E9F87_2_0152E9F8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015231B27_2_015231B2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015240D07_2_015240D0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015234C37_2_015234C3
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233597_2_01523359
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233067_2_01523306
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152333E7_2_0152333E
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233E27_2_015233E2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233AB7_2_015233AB
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232447_2_01523244
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232647_2_01523264
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152320B7_2_0152320B
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232EB7_2_015232EB
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232B57_2_015232B5
                    Source: Swift_Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: LkUhukiIiawSEs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Swift_Copy.exe, 00000000.00000000.638991575.00000000004AC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecDisplayClass130.exeD vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.684426291.000000000E630000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.685071132.000000000E730000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.685071132.000000000E730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.683468059.0000000007070000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDywYPVsnvvkYPYwtfgclREFLpEPsDjOMvhyaXVq.exe4 vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.683391733.0000000006EC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.907247628.0000000001540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.907099741.0000000001490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.906853679.000000000137A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.905949395.0000000000CCC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecDisplayClass130.exeD vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDywYPVsnvvkYPYwtfgclREFLpEPsDjOMvhyaXVq.exe4 vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.907190417.0000000001510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Swift_Copy.exe
                    Source: Swift_Copy.exeBinary or memory string: OriginalFilenamecDisplayClass130.exeD vs Swift_Copy.exe
                    Source: Swift_Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Swift_Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: LkUhukiIiawSEs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exeJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeMutant created: \Sessions\1\BaseNamedObjects\WeWuAmKiSTyv
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA681.tmpJump to behavior
                    Source: Swift_Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Users\user\Desktop\Swift_Copy.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Swift_Copy.exe 'C:\Users\user\Desktop\Swift_Copy.exe'
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exe
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exeJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Swift_Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Swift_Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_00405683 push es; retf 0_2_00405684
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_00C3853F push dword ptr [esi+3Fh]; iretd 7_2_00C38551
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_00C392AB push FFFFFFD9h; iretd 7_2_00C392C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01487A37 push edi; retn 0000h7_2_01487A39
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150DD70 push E40110C3h; ret 7_2_0150DDB9
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.56757034965
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.56757034965
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'
                    Source: C:\Users\user\Desktop\Swift_Copy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7136, type: MEMORY
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWindow / User API: threadDelayed 3235Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWindow / User API: threadDelayed 6577Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 7140Thread sleep time: -102645s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 3976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6356Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 4792